MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f9ff810fb50e7715a0e84b16a0f8264d783e824e1770a59f7de37d32d40a0ae3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f9ff810fb50e7715a0e84b16a0f8264d783e824e1770a59f7de37d32d40a0ae3
SHA3-384 hash: 73c1bf0e7aa6a02b7bfb4493a1ef2af081ffeaaa14767ec6622b4b23ce85f215590f797b55c401fe39b626c118a6ad4f
SHA1 hash: 157830139221b56911f71814f4412e079a754161
MD5 hash: c0fbe12e641949e49f499595ef1303f6
humanhash: fruit-chicken-sweet-undress
File name:c0fbe12e641949e49f499595ef1303f6.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:287'232 bytes
First seen:2020-06-05 06:00:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 6144:bFI24JjnGKZGPokCtjoyL7dGdR4HUD9X:xtujHkokC68U
Threatray 10'549 similar samples on MalwareBazaar
TLSH 1354186D2B88B902FA3D1D3249D1566013F1D4835E12DB0F6FC02FECAA5B7CA7949396
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
server257.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-04 13:48:31 UTC
File Type:
PE (.Net Exe)
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7h7ycd5vbz3rlihijmlkb6bgjv4d5asoc5yklh354n6tfvakblrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17ed2f2ec07ba4a175b698cd30b172ca2e8fe8ebb2a13e08e6e1f3990781888a
AgentTesla
3ec3af4549c4eb614c0adbe80eea39646e7b0de97e6ff1fa52c43e0fb2249560
AgentTesla
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
AgentTesla
4d8d60702145448a23d9304e58670f55d8449d2281a6ca9d6d95dbc25cb4e598
AgentTesla
a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034
AgentTesla
b823ab3333cbfa29218063de8440da29fc50aa7db3e70bbc9bf586c2f1eff696
AgentTesla
e1edaeafb526cd694a3f293cf47ad4bdb832cc0c6d697a1f386d0f9b63dcd152
AgentTesla
e42fe9ce657b9eedca1497cbcecfb3a6b7ed453ff5dde6c4cc3f06cdf7b59b00
AgentTesla
e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879
AgentTesla
fa885e667cc43b0acd85af66802d2eaa9266ceed59a74589b415aa0ef45e4ce9
AgentTesla
+ 10'539 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-8ddhfb1gmx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe f9ff810fb50e7715a0e84b16a0f8264d783e824e1770a59f7de37d32d40a0ae3

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/379670/
  
Delivery method
Distributed via web download

Comments