MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e9c5a3a5b00b7cccf4bb4f57ed7aed786d326ed8670bb4b7858d800a7d481148. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e9c5a3a5b00b7cccf4bb4f57ed7aed786d326ed8670bb4b7858d800a7d481148
SHA3-384 hash: e185928b7cefcddd4617ab0f2d5edeb09c51b84857c994b3ec8c89139af1d7396bb8f30041f6eaff76107658bda883d9
SHA1 hash: 2406e24eaf9f6711813ff12ff85ed51bb299ef4c
MD5 hash: 58b212d8fd89cd54104754fe0b9d26ad
humanhash: carolina-golf-massachusetts-video
File name:PaymentRef.2020.5.8.img.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:494'080 bytes
First seen:2020-05-08 07:40:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:/O+LkfF0sqt6xKs3yVMcmf95usDwCQkA70Qk:Sd0ta18eeszyk
Threatray 10'663 similar samples on MalwareBazaar
TLSH 01B4E048356D23BED467CAB59AD1DC60C7207267B293E3A7885310C94ADDF82CE09DB7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.ence.marketing
Sending IP: 62.138.11.76
From: stream@singnet.com.sg
Reply-To: serhaitoguz34@gmail.com
Subject: RE: Payment: Customer remittance $9217.58
Attachment: IMG_PaymentRef.2020.5.8.img (contains "PaymentRef.2020.5.8.img.exe")

AgentTesla SMTP exfil server:
mail.oltec.com.sg:587

AgentTesla SMTP exfil email address:
jden@oltec.com.sg

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45027.17955.9663.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 08:18:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
26 of 30 (86.67%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5hc2hjnqbn6mz5f3j5l626xnpbwte3wym4f3jn4frwaau7kicfea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02466f6a6f4a7b3abd212c5a0b27c8e75a29c2abb19771f22e231321d40f2c39
AgentTesla
36adc32ee7a0c83b662d08a804004e8129aaef0cd75e76376ff23f0fe3dd831f
AgentTesla
4c94424fc829259b782a3efc78979df11d0f768ee71aa65c2ad611efbd055e2b
AgentTesla
50946bb2be1a9fb71dfd068710893588bfcbeacdf2cde3e0270c2f6487594a99
AgentTesla
a1d0c4b67f70957eb177330c4bac5fb51496f87b7be4e86580673a9e3442ad83
AgentTesla
a795ffcfaa9ad62c2bccc4c7240e6a96840c1b2ee7afd6b718526e9c61e6732c
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
eb202130d25c28fe1651130652ab70014c7dd3ede102938c38ee1e7aa065ba53
AgentTesla
f409ca377c0798d6ca1e31001e93e6ffdb09fdf5d9798209206204f68ce5136b
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
+ 10'653 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-j1ng5qet8x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img fd565413e45099e35bd06f454d409680233829eb5ac98824226bdf1d2cf3345d

AgentTesla

Executable exe e9c5a3a5b00b7cccf4bb4f57ed7aed786d326ed8670bb4b7858d800a7d481148

(this sample)

  
Dropped by
MD5 6fd689af8b78ff41fefbaf14e6d7f224
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fd565413e45099e35bd06f454d409680233829eb5ac98824226bdf1d2cf3345d

Comments