MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee6801317f50de988a4d0a24953331cb141a28903a11dac3bf95e58c9bf0bd2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	ee6801317f50de988a4d0a24953331cb141a28903a11dac3bf95e58c9bf0bd2b
SHA3-384 hash:	879822f3f2844a364e5149698f4515ca0252bd893e6be6044b2df3d324fa3b959d4e2f0253c0ca26517190d99dcce2d4
SHA1 hash:	fa1e7270151cc048fae3c5ba9776a53b52a41260
MD5 hash:	844ac33156166cdfba34d705abf4b352
humanhash:	three-quebec-mars-sad
File name:	PURE CHEM CO.,LTD.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	831'488 bytes
First seen:	2020-05-12 16:20:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	8e6e98a800af710a823c84ca54e3cbb4 (14 x AgentTesla, 4 x Loki, 3 x NanoCore)
ssdeep	12288:33IBD2b65mJPljOYeL/ZJVmxq2Wja37RjQof/aEwfoKO+dCxkJaVbXEPlEKRem:3Y5Wtqhz4Q0P3aEfmEkJaxEPlEo/
Threatray	11'090 similar samples on MalwareBazaar
TLSH	9105B066F2B04C33C1676A389C1B5658AAFABE003E3899476BF41D4C6F3879139752D3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.genoxyl.cf
Sending IP: 94.177.242.23
From: sale-manager@purechem.net <sales@belbev.asia>
Subject: ENQUIRY FROM PURE CHEM CO.,LTD
Attachment: PURE CHEM CO.,LTD.zip (contains "PURE CHEM CO.,LTD.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.BehavesLike.Win32.Fareit.cc.21246.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-12 05:34:02 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5zuacml7kdpjrcsnbisjkmzrzmkbukeqhii5vq57sxsyzg7qxuvq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

055003691500c11f1b394adb49639fde72de3834e84b59256c898fd0d2e33ee4

AgentTesla

25d747802b9ce8ff29860bc3fd6c9822b18108b8b0b1f0b781924203f4ff48f3

AgentTesla

2fcc3c49cbacd359f308ab59cbafdec24f95d4b638bf9c2fd5dd466379dac3aa

AgentTesla

312de3802dada78c710b868a26d744dc65991de475bc741c21c5714a84977813

AgentTesla

8d286ef1e89c7538ea015f40f8accaa1430b2f479684fa6804f762326ed11f75

AgentTesla

96d373f93a0d1c05de6257d6aac03d42c375ffb8e6cf78cbc279918a31a9f9d2

AgentTesla

aeadc285fe321cd37a6c8d73c4e493690d0df6de1ac3d7ad0806f5fa70a02441

AgentTesla

ee7ad8e5b1668792ad637972d788af49d288c6a8789a1c9bbee5f6df9ec7df00

AgentTesla

f4ee68967541641ce9b2ba8ba7f2741d9756cde1a4f32ba9495cf35ba06b7f01

AgentTesla

+ 11'080 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-2n9z751mxx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar