MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f33e536c31c5aa7b5a463c4c9243b4369de785e06648ae076a8822f11797076f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f33e536c31c5aa7b5a463c4c9243b4369de785e06648ae076a8822f11797076f
SHA3-384 hash: b46cc08a7a79884156f3254a57fc3ced185a87d2fa6b4e1f8257a5fb9d93a96fe23beaa1174addb497b214a14bc9bbe2
SHA1 hash: 35c5f97ba323151a8577c768f31829b54f3cff06
MD5 hash: 1d476ac1c6c3fcd41cac2ba9481c4eb0
humanhash: sweet-enemy-neptune-tango
File name:1d476ac1c6c3fcd41cac2ba9481c4eb0.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'503'232 bytes
First seen:2020-06-03 08:21:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:mtb20pkaCqT5TBWgNQ7aajuvcUS7tuHLlJYMRNL3JdEAEv2686A:TVg5tQ7aaY3LDz9b5
Threatray 10'925 similar samples on MalwareBazaar
TLSH 4465E02273DE8361C7B25273BA56B701BE7F782506B5F56B2F98093DE820122521E773
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.insooryaexpresscargo.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 10:23:00 UTC
AV detection:
29 of 48 (60.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6m7fg3brywvhwwsghrgjeq5ug2o6pbpamzek4b3krarpcf4xa5xq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18bc1bb7ff629d8aa9646875c02636074f4039b39f48273ff97fe7c12f401e00
AgentTesla
1e951012c34ea9b3762e742c890933a799c4c487abdc7639abae579eebf50e9e
AgentTesla
21d19ba98de8b710605e144809cae73bc3b7606cfc49e995a267cf44e4c2638f
AgentTesla
4917103eef77ce8fd5beb88efd446180445e0ee6ac933f5e42443d3673d62bc8
AgentTesla
85f9449b3bf138291017bff513ccc66cdbbb81478098149bf6ddaf44410c235e
AgentTesla
8993c6ffa46e5d51e517982dca4e5bb6ba32ed168348c1d4004a41a581282a1f
AgentTesla
8eb3933e2012364a81fa9f1003c485c03c6cafd61eefaf1b4059cc8d4a4066a7
AgentTesla
9b05b77b3afaacbcbf23eadad8866e55c4d21d007e5107e9f30c0d93b51fd0b4
AgentTesla
ae29309cd07a69a999f452b2ae38f9b444e3ee7ea1b7fb3579578abe23bb5829
AgentTesla
e3574b9f84ca8cf778a664b60c2d6fde9049c51a384f5fbe49003fe806afd966
AgentTesla
+ 10'915 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-qvs3e3y9qn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f33e536c31c5aa7b5a463c4c9243b4369de785e06648ae076a8822f11797076f

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments