MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f96f26859a0e34567a6042ef891e59c27a62f6630d9211be0bbbcac749efe988. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f96f26859a0e34567a6042ef891e59c27a62f6630d9211be0bbbcac749efe988
SHA3-384 hash: 062a7e48c6107c09eab6595f903791aff16c4e2ec8d9b5877b436395f609a3293ba7756aa6e40ee2a900a400408763d4
SHA1 hash: 35f57349d3755526e157509fbc5f6f1c3ee55225
MD5 hash: d36dbae8a914744662588288091d9e39
humanhash: seventeen-robin-rugby-lion
File name:JUNE_QUOTATION#7724_210520RFQ_NEW_OFFER_SAMPLE_AZN_O_M_Company.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:446'976 bytes
First seen:2020-05-23 11:10:56 UTC
Last seen:2020-05-23 11:46:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:Rw79UPj0U3s6OHlwBT+1GXMMWihtHb+vqKqsXRufXM3P1:cI86+6ZnX+ih5qCKqzfX
Threatray 10'594 similar samples on MalwareBazaar
TLSH EC940249329C626FD87C47F9286015520BB3AD42B652E34D4FE6B6EE16373E04A10EF3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: juchansolutions.pw
Sending IP: 173.82.168.118
From: Saud Abdulaziz Khalaf Alsharrah <info@juchansolutions.pw>
Subject: JUNE QUOTATION
Attachment: JUNE_QUOTATION7724_210520RFQ_NEW_OFFER_SAMPLE_AZN_O_M_Company.arj (contains "JUNE_QUOTATION#7724_210520RFQ_NEW_OFFER_SAMPLE_AZN_O_M_Company.exe")

AgentTesla SMTP exfil server:
smtp.iotoils.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Hosts.47613.21968.30777.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-23 02:58:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c7de15126c912cd1ab00cb0ba1f5504272eba4d87912f4251431892d5a2a375
AgentTesla
0fc60e6149afb0a4a187d8d2d593a8939460ee688ca36091a825489e0d1ed399
AgentTesla
1889cc3d14163844c0ac599ded1dcbb904510b10d2ee4e5f03e3e2cf81040d79
AgentTesla
38fc7dbc46afc77e54a4810ba17964faaa85ef9ca526890306fcc2c5ecc398db
AgentTesla
44ba37fc9028cfa910e1ab8b805fa455ba0ba2d6020c6da3971ed61a490513d3
AgentTesla
4dc2d208eac6249c467cfa21ddaf785e6259b24fcccb2d9d761a3161284074ef
AgentTesla
7f739c5eac76d496c71d9a0b24abe3d9990adb95321a1145eff1f3e68e3c4745
AgentTesla
a219a59846f747474e83c29b015f831313d83aebf99823b5f12e58a86dff301f
AgentTesla
ad4e9fc11e43cf6bb3b98ee29517dcd3b6aaee90c7a9ef88fe84a3a0056e92ec
AgentTesla
da724467df8f1c1cb077ad7879ad8790cdef010eab22b382fbd2ed6e87696d87
AgentTesla
+ 10'584 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-c7s38wt7be/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj df9c84db2efe2030da7387e03f7fe4f4d11ce489117399b5b8aecdc8a85d03cd

AgentTesla

Executable exe f96f26859a0e34567a6042ef891e59c27a62f6630d9211be0bbbcac749efe988

(this sample)

  
Dropped by
MD5 6e1aaddd214a032c95ddccd512efbf58
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 df9c84db2efe2030da7387e03f7fe4f4d11ce489117399b5b8aecdc8a85d03cd

Comments