MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea12e8397d1e8afb620094bdb30d803b2f667b15fc8e415c94b8c6c3c6c403f4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea12e8397d1e8afb620094bdb30d803b2f667b15fc8e415c94b8c6c3c6c403f4
SHA3-384 hash: 666e3a0988a329777433069aa9675954ff4577a0816659d6cf99d0ecab3eb62090af030c54cf82b1863363808e486a7b
SHA1 hash: 913435a45a3d9c360d83786d8e0f8d134e52e00f
MD5 hash: dc40b576daf11fc6aa4b3bef810f7531
humanhash: eight-foxtrot-fix-tennis
File name:(PO.4029530.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'511'424 bytes
First seen:2020-05-22 08:47:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:gtb20pkaCqT5TBWgNQ7aV+viVvN1YywHTB72N1jme2IilbW6A:pVg5tQ7aVOiVvXY/Bc1jmhxlK5
Threatray 11'205 similar samples on MalwareBazaar
TLSH 7E65D02363FD8363C3725173BA157712BEBF782506A5F46B2F98093CA920121525E6BF
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.strongmailvault.com
Sending IP: 111.90.144.214
From: office@jinpao.us
Subject: Re: PO.4029530 URGENT
Attachment: PO.4029530.zip (contains "(PO.4029530.exe")

AgentTesla SMTP exfil server:
smtp.itanlprotec.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-22 09:09:36 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a44ee4a63f01378570de7668ee2daa17534d296a6ff2c45bc14d8f9b07bb837
AgentTesla
33f3c581f4bc6cb4c7e6b63a6857220ab404020f188650f11bf0ec55e96877a4
AgentTesla
4917103eef77ce8fd5beb88efd446180445e0ee6ac933f5e42443d3673d62bc8
AgentTesla
8ad69f7487e5a7b06d3c9b12d4fdbf6604462f90ddc2e1986dd61eaf8427e724
AgentTesla
a7db22ac79e30d4838c31b0dd7ce2a4029471a16a495a9165f3c817596d63cea
AgentTesla
ace81f39328203e1b2ab8f1c2b0c56f085583ae71ab90ca53f911e4b67cd9f7a
AgentTesla
c5aa13bc531e8381c2e271584ef2e91eb14cde3c62b0a1d76196576f8aa7c28d
AgentTesla
f07181ecedecc14725115fc329ce7515ccba9b8da3e05eb95b793bd470e687cd
AgentTesla
f0c92379b72cf50682e6207b554234e636ea40cc31d98c9fa491c6314b20687e
AgentTesla
f27357769e88135e1c6e8931638d380df6cb1f1053321f0efe1025a946a29091
AgentTesla
+ 11'195 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-z924kfmzf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3be1e0513df81445da2fccdcbb05b027da941ff46a5fdf819509d8956a58e932

AgentTesla

Executable exe ea12e8397d1e8afb620094bdb30d803b2f667b15fc8e415c94b8c6c3c6c403f4

(this sample)

  
Dropped by
MD5 6410e99ca7ac7e32aa92fed576a5a791
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3be1e0513df81445da2fccdcbb05b027da941ff46a5fdf819509d8956a58e932

Comments