MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ea1e920b88c5129a91704c6075aa29e5e0f86240f64ad742497eefdbde4ea207. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ea1e920b88c5129a91704c6075aa29e5e0f86240f64ad742497eefdbde4ea207
SHA3-384 hash: 350bf7beaa27f7727493f498b7ec5e5e6883ba51046768498bfea78311d9a23083c14e6cb4a4621e85256c6ba5c9ff03
SHA1 hash: b368708a1e151959747fea4d02ad48f89f63e17f
MD5 hash: 16c00bfee37d96d961cbcacc073c7d8a
humanhash: oscar-thirteen-beer-early
File name:Shipping Document PL&BL Draft.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:761'856 bytes
First seen:2020-06-23 07:03:44 UTC
Last seen:2020-06-23 07:59:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dKxw2aojboZYpxjAfVq4GllFebj/YuJnmfU8RD1QkaAYwWWwoUn7zwONfgKKyQ40:dNojXEfk/ll8tJoTr1ET7MONfbKyQ40
Threatray 10'720 similar samples on MalwareBazaar
TLSH DAF47B2E7681780EC13C493204AA5D94A3B2E6473702C70FB9CBA7AC6F156DF7F46199
Reporter abuse_ch
Tags:AgentTesla exe TNT


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail0.716.semiopraxi.casa
Sending IP: 167.71.37.236
From: TNT EXPRESS <service@tnt.com>
Subject: Consignment Notification for 243740512 : You Have A Package With Us
Attachment: Shipping Document PLBL Draft.img (contains "Shipping Document PL&BL Draft.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12888/
Detection(s):
SecuriteInfo.com.Variant.Ursu.919897.11022.21233.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ea1e920b88c5129a91704c6075aa29e5e0f86240f64ad742497eefdbde4ea207/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 07:05:04 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ipjec4iyujjvelqjrqhlkrj4xqpqysa6zfnoqsjp3x5xxsouidq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b47b1d455c8523eb73b69934c91f2082277e5ba705e066fceaf927b81e4c060
AgentTesla
24da2a4f73f7d7c4ff56080bb08611a27457e5f30b8a67dc4a3dd35b51019710
AgentTesla
3027dc21e325fddbc9e6cd21b0491f3270190f219776de4971e510c4490d3c25
AgentTesla
35628fc8f90a6db8f30ab2f3ec4b743190381958f72c75d1a8ae828d6afb6370
AgentTesla
380f06e9a34d63f3b41e94cdb6781254e7582c811adaaf48855d4e945e8f96b0
AgentTesla
686bf5243c5d71d36ce6c9b870cad9316aa1218154614fdcd091d7bb8573ca2c
AgentTesla
76db6b7b9b663266d976b95b4d5a2c9d6f87052fa39dee973ca91952d20605ef
AgentTesla
8ac04f1edad3360a1775f325e346acd0950cf28d49d6bb083191c899d9528d76
AgentTesla
a9297e27075d755670954bcffb05bc3dd60fde115a342c93a6e76ac9ff6b9494
AgentTesla
f963457d5a9d27cbce5df7a6ce4fb9dd288e23ef473bd90cdb3059d454949d5a
AgentTesla
+ 10'710 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200624-8fwmfzdj5n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

f744e27313508fa5f65da6a8b6b1b62d

AgentTesla

Executable exe ea1e920b88c5129a91704c6075aa29e5e0f86240f64ad742497eefdbde4ea207

(this sample)

  
Dropped by
MD5 f744e27313508fa5f65da6a8b6b1b62d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12888/

Comments