MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8d6845e4bbaf3b148d938cebbe21d80cf53288e387abdaa7f7776c2ae89dcf5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8d6845e4bbaf3b148d938cebbe21d80cf53288e387abdaa7f7776c2ae89dcf5
SHA3-384 hash: f656e3c90733abf080faa0df26dc3c55566b36d759d9f2e4e2ef5b4e26b34f9c86625e29b386afeff7e99ea0a4273018
SHA1 hash: df77fc67dc99818c3a5e463c78146ef8dc0edad5
MD5 hash: dce1929034ea7261d36b425eeca9e2a6
humanhash: five-oklahoma-kansas-potato
File name:RFQ-Order-PO-0586970-08-18-20-Quote,xlxs.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:761'344 bytes
First seen:2020-08-18 12:32:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:sZkKb0BqeDo2hS6/CcFyYCQ/YKUvxwE+KAIGQlOZBhb6rbRAWwewpySjuo1:qkq0BgmS6/CcFJCQ9UvOL/yrbGuo1
Threatray 9'269 similar samples on MalwareBazaar
TLSH 99F4013633A4DA05D57E97398C99204513FAF807A652DB7F7CD8224D4913BA34B33ACA
Reporter abuse_ch
Tags:AgentTesla exe geo KOR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail-smail-vm44.hanmail.net
Sending IP: 203.133.180.232
From: 푸른하늘 <ash9943135@hanmail.net>
Subject: RFQ-询价/采购订单
Attachment: RFQ-Order-PO-0586970-08-18-20-Quote,xlxs.7z (contains "RFQ-Order-PO-0586970-08-18-20-Quote,xlxs.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
61
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47836/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f8d6845e4bbaf3b148d938cebbe21d80cf53288e387abdaa7f7776c2ae89dcf5/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 12:34:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dliixslxlz3csgzhdhlxyq5qdhvgkeohb5l3kt7o53mfluj3t2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e5e318e272a7450269e3eacf53f53f5f25b843f1d8828452a090e4b2afe04df
AgentTesla
467891785750079e8bb4f067c246a7c736756bf9f17c9d09cc4f384970b8fd99
AgentTesla
5964570b4ebb8b449730df21e4e1da41557c306870b7f11b6321ee4dd8e031e7
AgentTesla
64b14942869c60d07cad750a8e51c0386cde6cfc65d574480d27ab41caa32baa
AgentTesla
7b1284dfea512883123452d9bd0ed61ab9af5ee56382664aada1914a42944e60
AgentTesla
847a17631eb77cdb667aadc9bebec75562fd1dfc4fd6206d2ec2636a11671cca
AgentTesla
91cfa121b109ceaceb8ca6dcef72ac69691291facec3569755f13c4a87f6da75
AgentTesla
9be04012b4927a7e93498068acaaac6e157192df66509a20079fa39084735247
AgentTesla
b4d97e5fd7ec7fa2db1180417dbf4c4164e2d942c8a42388079b46bc5ab2f44c
AgentTesla
b4ebfd103993464897b2a45938edb01fec2e897cf8c46500b0b6264a57928f9c
AgentTesla
+ 9'259 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-gtrjazz8e2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f8d6845e4bbaf3b148d938cebbe21d80cf53288e387abdaa7f7776c2ae89dcf5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 415ab07e275f4c2e8187b9f755bd71112c38b90643e852ab001ccd5efe0aafcc

AgentTesla

Executable exe f8d6845e4bbaf3b148d938cebbe21d80cf53288e387abdaa7f7776c2ae89dcf5

(this sample)

  
Dropped by
MD5 81e4b5e2b72c42bb1e74a6f788f39bf4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47836/
  
Dropped by
SHA256 415ab07e275f4c2e8187b9f755bd71112c38b90643e852ab001ccd5efe0aafcc

Comments