MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ef212cf526944c2fa757b4f6ca3221515fa878dcf58230a59ee6084fa433483c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	ef212cf526944c2fa757b4f6ca3221515fa878dcf58230a59ee6084fa433483c
SHA3-384 hash:	4f08d2b8f109cf9cf79d44affd4ba0c081dd93e47ad1a7c955d62765cbdf90f170643e90b6bdf270c605579bef14573e
SHA1 hash:	71402a6d8f6e77afda17dbe773a140c67877318c
MD5 hash:	494ac6566d18940d34a53f73269bc57e
humanhash:	single-edward-pluto-tennis
File name:	494ac6566d18940d34a53f73269bc57e.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	501'248 bytes
First seen:	2020-07-09 06:41:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	04726b68348c0c3cf827797a9f6695eb (10 x AgentTesla, 1 x Loki, 1 x 404Keylogger)
ssdeep	12288:gjoPmt9g7vExLdgc3I1UtdXPSIY8DZIdWz4:ioukzExxTZaIpZId7
Threatray	11'640 similar samples on MalwareBazaar
TLSH	B9B422E0EFAE4441F76C8973C9670FB35B22F99670065F135A5F081EF1B1056BDA228A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.papayatreehotels.com:26

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23423/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Creating a file

Stealing user critical data

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ef212cf526944c2fa757b4f6ca3221515fa878dcf58230a59ee6084fa433483c/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-09 00:20:44 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=54qsz5jgsrgc7j2xwt3mumrbkfp2q6g46wbdbjm64yee7jbtja6a._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

2409f04509b447f04121091d6b20dde5291413f155de031ef7e306c736ed9242

AgentTesla

2f82dffb6984064e3a865298818c2081de389fced1e4d98b12f2da014a74fcb9

AgentTesla

6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099

AgentTesla

7b0682f987e2856b5ccdb1c31fc5ac81df44c270940d71b3c403a9f361191afb

AgentTesla

8b90d7894eecdabe437c469f62ca2cf8cff3fed04fc0e01287bfb2bde6454ee1

AgentTesla

935e5bb0fe7441931cbc606436d22e48c1990f2b421c14980b1cd5ae4eaf9975

AgentTesla

aa218adce0cc32486a75b6e5a2669c8b82afac444485f3d44bb168482276ad4e

AgentTesla

bae75dd4f9b20cf70c03927276a3b96c77f71916bead7d15477499ab1d13d499

AgentTesla

dc093e568e38e5fa992a6f77e85023798941a32c24b541b5ad5b94708564ff91

AgentTesla

+ 11'630 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

n/a

Link:

https://tria.ge/reports/200709-w9hk6cc8y2/

Behaviour

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/23423/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample