MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f78720abd4436ed23f17cce3d173034fcc8d761af1839eafe969cbf109e25ade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f78720abd4436ed23f17cce3d173034fcc8d761af1839eafe969cbf109e25ade
SHA3-384 hash: cbf134b938905858642b44a39e1057c5ef0abea3cc85af9a6ea9b9bef785efa4e7ddacf99f6d6affc25e0485605ce172
SHA1 hash: 41ebc83aeb5d35e42a28d3e80ec0e39e0d1c966d
MD5 hash: c5d9a15166449b5814f31580ee4013f9
humanhash: spaghetti-utah-jupiter-stream
File name:TOYO Engineering EPCC for BIO-MEG Project AYBF001 Hot Oil Heater 26730965_scanned from a xerox workcentre1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:596'480 bytes
First seen:2020-06-03 05:54:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:qOW5+Fa6XBcK89JM/pJyazujemP7Zd1LF3bgztUn1f1mN:L+TNd32wrmN
Threatray 10'650 similar samples on MalwareBazaar
TLSH 06C4CE47B2DCA9C7C56C09F85D21F21C23BAAD2150A2EEC56CC2F48A55F5B9204F396F
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 03:30:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
17 of 31 (54.84%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66dsbk6uinxnepyxztr5c4ydj7gi25q26gbz5l7jnhf7ccpcllpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0634e4d99acb33ab8ea8b8f48eed2ee32ba96bf3ba9781bfe59a17b2f57e9f59
AgentTesla
737b50d6793ba9b65cd9c2a6a5c797776553c4e2af33a17e171de9934929e11c
AgentTesla
927eaf52330a648f27421c3f5c1a405ca01c8b8fffe734bf3cd870da1a710323
AgentTesla
94fcc8c7fd53c5463c0d33d1f74b5c7c8c0ae95ef097477958acb9df1ae5a15e
AgentTesla
9dd769cb464834591e19709c8e98d97f84dbf86b3e8d35685e88373c1c73c549
AgentTesla
a0d1174033e97f8357e24a3c08daee72328599e260d622979d5e9d4787b29707
AgentTesla
d2a97ab97d0977567f4b2ee6ba659725fc82e9d4fbdf293b5f2bed5152d40af5
AgentTesla
dce1e0ba1804a1f7f1deefd167342fa83f1aa5a3d14ec8be14b6cb10b8beb831
AgentTesla
e3f7e46443905093f45dc19c371eecc0fb10d3d8c81941f1f75a274cabdab033
AgentTesla
f218ca5df76d3fd3af680e0a732a71e441da31cdabfee7b9705afaa4c0037c12
AgentTesla
+ 10'640 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-xqysmwdb7x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

eb56d3c506dc6684e5c9296e4abafecc02022d4363e5dd79cdd7102650862040

AgentTesla

Executable exe f78720abd4436ed23f17cce3d173034fcc8d761af1839eafe969cbf109e25ade

(this sample)

  
Dropped by
MD5 b7f87a58859b25c923b4ef7f20c189cb
  
Dropped by
SHA256 eb56d3c506dc6684e5c9296e4abafecc02022d4363e5dd79cdd7102650862040
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment

Comments