MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec17348438d8e6c04f18e329968d37c5d1be05148a7b770e926b8ebeca75f06e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec17348438d8e6c04f18e329968d37c5d1be05148a7b770e926b8ebeca75f06e
SHA3-384 hash: 90b59f16a22bc4878c77cf24effb1e4b66d79e7ef261215dbc4bf54bcf4325e1cb41ee0243bd3ffddeeb9f04efdee8b3
SHA1 hash: 9cf611d4dc4977a13c295595cfb10752187d0240
MD5 hash: 98bde7cf709a9b5b89079ff746c5218b
humanhash: mississippi-lactose-winner-uranus
File name:Att.2 PROJECT SPECIFICATION.zip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:598'016 bytes
First seen:2020-06-11 05:44:18 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:tsf3W1kpstT+BwnzVI4ZtWiptRycpxCPY5wtm8j4Rl:tD1kpstTFXZtWip2crBIm8
Threatray 10'972 similar samples on MalwareBazaar
TLSH 7CD4E04836E5BF4EC32E4EB6151728105BB165637E0BF2835CCB26DA541EFCA4B05B8B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: kingoak.com
Sending IP: 72.4.144.87
From: Jong-hyoun, Lee (HYUNDAI ENGINEERING CO) <jhj93h@hec.co.kr>
Reply-To: Patrick Jeong / Ops Dept <geojeff1993@gmail.com>
Subject: PROJECT: Hassi Messaoud Refinery Project, Algeria
Attachment: Att.2 PROJECT SPECIFICATION.zip.rar (contains "Att.2 PROJECT SPECIFICATION.zip.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/8860/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 05:46:10 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5qltjbby3dtmatyy4muzndjxyxi34biurj5xodusnohl5stv6bxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03fc6fb46457641645117a9c29292069714568ff711647455c70769d7ab3485a
AgentTesla
2a9ff7b8ca6a12f714779ecdcd2d86ccf9ad03da04de4a45aa8c3c97b7209c8f
AgentTesla
50e9f1e4d84a3a4a4a7487fcd1854b7a9b985a8a87693f51942d1ec3e5a21afe
AgentTesla
532b875f09991cdf7b57db59f0f7aa579d49b229d65ad1ace9f67bf6ffc7bca5
AgentTesla
5f2517598649fe78e58966a15e9fea89e43ee57aa0ad6b779ef18be53eb39a2b
AgentTesla
60da286e39c0c6dcee0d9daafbf5c6662b818c9a36b77d8ba5f4314e94d9baea
AgentTesla
872e06d165968c0548d362d26c3c05ba9c3f35fe1066c5623dded0dd7cbb92f2
AgentTesla
9b5b44ded4ede28d92834c4db286780a5628d02597a739ff3633f808d47f0939
AgentTesla
a4cebe4913d275f7387b8d8b2acb7d76324550746e8802f28d432a15d3608194
AgentTesla
ae5944dcb44caf7dd6357559e2f786208326731da4afac332f5b07b8c6313cac
AgentTesla
+ 10'962 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-wfx7tx43r6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar eb1c675f76a3f7d6e83079820f717b378fdbac6f4df980094ee7f56934e1aa1b

AgentTesla

Executable exe ec17348438d8e6c04f18e329968d37c5d1be05148a7b770e926b8ebeca75f06e

(this sample)

  
Dropped by
MD5 52bd56ff70b670f10fd2612811df0015
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 eb1c675f76a3f7d6e83079820f717b378fdbac6f4df980094ee7f56934e1aa1b
Cape
Cape
https://www.capesandbox.com/analysis/8860/

Comments