MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f2db78e5165646f19a5b9438764740b24ab4c578890cd68e292cedaed3f7ca84. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f2db78e5165646f19a5b9438764740b24ab4c578890cd68e292cedaed3f7ca84
SHA3-384 hash: c61359e13bda9bfc67ce8e80150ff756d3c8a5237d7231ba62f2104ec113673eb1c2560f2b908fd01b6f9275b3851a0b
SHA1 hash: f2f21c09cb6ca3b550f67cb51db9d2eb48b9ac0d
MD5 hash: 5583cbebfa85750b185b35b0080ce3bc
humanhash: fifteen-pennsylvania-north-connecticut
File name:RFQ#QHE20-0436.pdf.exe.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'651'200 bytes
First seen:2020-05-08 07:12:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 2b7e3cbe91e6d6f699432fd076c24f47 (9 x AgentTesla, 1 x FormBook)
ssdeep 49152:33kkXImt5DcpMQdf+1FJMaz0rpqRyJRuX9jx4RR5bwOGMM8:33kkXIKxcpMY+FMaz08yiX9jx4d7GMM8
Threatray 11'056 similar samples on MalwareBazaar
TLSH 16750226F3F18437C2E3553C8C4B5768983B7E512E69588A2BE81D4C7F39782356D2A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: rdns0.dhanrajplasticss.com
Sending IP: 5.253.86.61
From: "Nga Le | Inavate" <purchasing@inavate-av.com>
Subject: [Ext] QUOTATION (QHE20-0436)
Attachment: RFQQHE20-0436.pdf.gz (contains "RFQ#QHE20-0436.pdf.exe.exe")

AgentTesla SMTP exfil server:
mail.hajartrading.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Adware.Generic4.AANW.UNOFFICIAL
Create hunting rule

PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Hploki
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 07:36:23 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6lnxrziwkzdpdgs3sq4hmr2awjfljrlyregnndrjftw25u7xzkca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02901340842ac53bba2ca25aa8c52300435c1c7f8c273521d54c60c4ffb92a00
AgentTesla
22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349
AgentTesla
2d642faf36b978257eb3ecaab096fb7a47d2420cc9dbc052130aa5fdde1f4726
AgentTesla
32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f
AgentTesla
37d7cd08ca91dc9962cfd418aafc0d115b954ee72c181feaf7d986c1f56b26a7
AgentTesla
60b66b4e182a7c2510e2abecd821a0cb30de3da1309e01ed36230cc9bc556cac
AgentTesla
7ab75859697472c8bda10b6cb7e7ffa7c8f5ce5eae3e7c67a565ffad2c6de83b
AgentTesla
8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e
AgentTesla
982d2699709d7a024a542a4f771a544cf987ce8d8f15cfa3dcefca157b251e3e
AgentTesla
e0e1906cf3bdce3052f97a950aef614488f566a4d587428d64d0c848f97a7a4f
AgentTesla
+ 11'046 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-5nslc668pa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3bb09c56522a13ee6a00826c42eb3b583e17cbd3c97cca04918905d32f056dd6

AgentTesla

Executable exe f2db78e5165646f19a5b9438764740b24ab4c578890cd68e292cedaed3f7ca84

(this sample)

  
Dropped by
MD5 028d32dd580fc396d59b375b40b8250d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3bb09c56522a13ee6a00826c42eb3b583e17cbd3c97cca04918905d32f056dd6

Comments