MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee987a88ac7966c91dfde419e7389236d138129a828d6819acb6c211b8954b3c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	ee987a88ac7966c91dfde419e7389236d138129a828d6819acb6c211b8954b3c
SHA3-384 hash:	49205dd01d8bae708030df60ee6e122c4b9c26e481254e7b862da23635a1da9a5b3175a6e5215673248a52e6e842a2dd
SHA1 hash:	2e0318599026ffa5f0ed96887c07f277bd31c06d
MD5 hash:	2427396448727bc80a428ea0af692d6c
humanhash:	zebra-iowa-carbon-moon
File name:	ref.#16ETS00030.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	782'336 bytes
First seen:	2020-07-15 13:46:54 UTC
Last seen:	2020-07-15 16:21:12 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:R5kRlKFk04/10hRnUgBWBGPOZl6EbDE27Tu0GjxMQBntIw0rXPfKCh4p:ISWT2RTgAmZBo27TuBxntIR4
Threatray	57 similar samples on MalwareBazaar
TLSH	56F4086A678D5480F43D373510ECB8B176709E435E1DE70E35D20BEE7AD21DA2A838B9
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26035/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.368.27221.7555.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process by context flags manipulation

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ee987a88ac7966c91dfde419e7389236d138129a828d6819acb6c211b8954b3c/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-15 04:16:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

40 of 48 (83.33%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=52mhvcfmpftmshp54qm6ooesg3itqeu2qkgwqgnmw3bbdoevjm6a._file

Verdict:

unknown

AgentTesla

6093b0ef8a611c4be1ce3aed1ff0611027ecade6b61e74e5ba8708b061d20c40

AgentTesla

6ef5fce9946da4cd9e356713d79b22f4615c7447eb4b3861d46bb816c97b88ee

AgentTesla

7e0b697ca060ceb919fa17715a88ffe9cf8ad66e3e95a720400f27777fbed132

AgentTesla

8e18f7d57532e145224c23b3bdbdfcc04cb394e0e3506bccef49eed06f3d2e10

AgentTesla

918973702e97922d932c32d86618ebd35116fb2d67a93cafd0f53a5b7b30da29

AgentTesla

a8ceb9e755bac10e6dd5f252d6174e12d69f27495e27c0fcb16034178072276d

AgentTesla

a96a96a53fa6c86c3a3b898caf9b5146409680cc926b1f73c5bf4fe80bf90cdb

AgentTesla

b01d0e871f96ddcf4df2358b7a452c488d628829d14d5ede0a58243cdd1dbdc7

AgentTesla

de006c9526937934142c1f991be7b89fe9d9fd6c080bc340e8fc542e850fd4f4

AgentTesla

+ 47 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200715-xcexq43pze/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/26035/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample