MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f29f0a32dde99ca599dbddf62fb0d004a97095695c388ebd95eac22078a2f360. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f29f0a32dde99ca599dbddf62fb0d004a97095695c388ebd95eac22078a2f360
SHA3-384 hash: 4c0defbb08da1c0fad1b43d1e175491ae757686979a2dec2d8033255e7c2770db5a64f0043568416822fe79a30e88c5e
SHA1 hash: 7ffce2d232dd5877c9b780810f4f0fa9973ca8c0
MD5 hash: c26af334fbec3587f36de55aac210c04
humanhash: hamper-carpet-king-steak
File name:OPO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:413'696 bytes
First seen:2020-06-27 07:34:52 UTC
Last seen:2020-06-28 06:02:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:qvpbZiF+ZG1vdzyy8qf/XGtya5HPBzCZYUJ28+xmAR0sj6psMJYKvSGJeKWf:q+FFymf/La5vBziYAjiXR0sm6MrSz
Threatray 10'587 similar samples on MalwareBazaar
TLSH 7D94015676BC5F37CAFA87FBA462654443F6853B4820F6590CC231DF0A6AF100BA5E17
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
4
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15046/
Detection(s):
SecuriteInfo.com.Artemis2A46FD19BDA3.9064.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Enabling autorun with Startup directory
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f29f0a32dde99ca599dbddf62fb0d004a97095695c388ebd95eac22078a2f360/
Threat name:
ByteCode-MSIL.Trojan.SchInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-27 07:36:07 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6kpqumw55goklgo33x3c7mgqasuxbfljlq4i5pmv5lbca6fc6nqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
3ec3af4549c4eb614c0adbe80eea39646e7b0de97e6ff1fa52c43e0fb2249560
AgentTesla
72bcbcfab861501c3778d871856d1e80169b0401a20064a52395c19f0cd93f8e
AgentTesla
b9c9bdcb2bab456d6aeb2b1515dc364251ac811e1ed73f9fe3ef4eeccabf3693
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
dac16914e3eef447d6e540c6296c4a93085367f26709c5707aecfa1e37910fbf
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
ff3ae499f8f7e4682acd374391c6a8ae492cf0205ccd02a20a18f76cae6409c1
AgentTesla
+ 10'577 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200627-91jskz9v8j/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c0a91cc5ccfd79b3db6e9e571c382aaa0936a7f41b00b92e405f5c6d2c1f94db

AgentTesla

Executable exe f29f0a32dde99ca599dbddf62fb0d004a97095695c388ebd95eac22078a2f360

(this sample)

  
Dropped by
MD5 c2c3f8943355865334f58b879f296f6d
  
Dropped by
SHA256 c0a91cc5ccfd79b3db6e9e571c382aaa0936a7f41b00b92e405f5c6d2c1f94db
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15046/

Comments