MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f39c91db181b0537d55a941ff504423eb5e97f51a65e6d8ae56d2a7853b0b2d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f39c91db181b0537d55a941ff504423eb5e97f51a65e6d8ae56d2a7853b0b2d6
SHA3-384 hash: 0cab3187e53145941a00ea0a9d6b360f0647c77e30031b11caff880ae4f47152888c4011e186249b51ec830ab64641c6
SHA1 hash: e24a0659997023684e4987a820283d8de439e5f4
MD5 hash: dce486b1c2c25d8c0d69734983b1c941
humanhash: berlin-michigan-july-high
File name:αντίγραφο_αποστολής.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:633'856 bytes
First seen:2020-06-11 06:30:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:jcaUPS6i6VEJD6LpxtfUzKElKvRZ9Ln8rf5/h9aGWjQ1QceClNG/gp9nG35:jcaUy6VEt6GzKZA5/h9WjQaCrGktG
Threatray 10'898 similar samples on MalwareBazaar
TLSH 6ED43A3D7A456816D53C063344D667E1A6B2A6833A01CB0F7ACA57AC5F033CF3B5A369
Reporter abuse_ch
Tags:AgentTesla exe geo GRC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.omegamail.it
Sending IP: 52.144.69.85
From: Panos A <acclaras@otenet.gr>
Subject: ΕΙΔΟΠΟΙΗΣΗ ΔΙΑΜΟΡΦΩΣΗΣ ΠΛΗΡΩΜΗΣ !!!
Attachment: αντίγραφο_αποστολής.7z (contains "αντίγραφο_αποστολής.exe")

AgentTesla FTP exfil server:
ftp.tde.ro:21

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/8940/
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 06:32:08 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6oojdwyydmctpvk2sqp7kbcch226s72ruzpg3cxfnuvhqu5qwlla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b48c05087f90d47d871edbff3a56699ce5fad3e14befb68a5339f7de1308b83
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
55e93e43efaeb600deafd813f7eef356e836904b0d83e545dc47b3ed0078316b
AgentTesla
705ac92d4e8679e22d491eff0fb7dcfca963090dd6e91e25edfe4004b39fd28a
AgentTesla
7b668bf6740289b2750a497800467fcf725fb111071e3ea4e74153e5159a3aef
AgentTesla
aa556dde1f62e5e897bf5db6980f8202febe626f2e9840190f1f2695eec3c065
AgentTesla
aafabbc33c3dcab75195c0a68e244c0b65043fd2fb966e8e66c46f76a1fca7dd
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
+ 10'888 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-2ynaxwcqws/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 164b077fc901dadafc6900c21a23d5202f947bba0cf921c715b7e9422b89b930

AgentTesla

Executable exe f39c91db181b0537d55a941ff504423eb5e97f51a65e6d8ae56d2a7853b0b2d6

(this sample)

  
Dropped by
MD5 40fdba2b1b34abaeb6f67acba5d420be
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 164b077fc901dadafc6900c21a23d5202f947bba0cf921c715b7e9422b89b930
Cape
Cape
https://www.capesandbox.com/analysis/8940/

Comments