MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff3ae499f8f7e4682acd374391c6a8ae492cf0205ccd02a20a18f76cae6409c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff3ae499f8f7e4682acd374391c6a8ae492cf0205ccd02a20a18f76cae6409c1
SHA3-384 hash: 82d3352c582f3effc0b593ce3bfc3b163c62c2a55cc41d601d4b0a04231c6d5c76f59a1fb25f750bf3e4231382b5716c
SHA1 hash: 5398f712adc7fd22731d287054490e204eacaf10
MD5 hash: fd81cbb883033274471a48ed055ff2e1
humanhash: eight-seven-mars-minnesota
File name:opoooooo.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:613'376 bytes
First seen:2020-06-29 05:58:45 UTC
Last seen:2020-06-29 11:03:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:KgxDwH5OBQpvpgXhnCVkYIIZHXbicNHHBJVfMnD5CWrfAFuqbcu6QSd8:KgxDwH5OBQ6l6kDqH/HhvfMD5CWrfAID
Threatray 10'586 similar samples on MalwareBazaar
TLSH 70D4F10073B86F6AE6BF83F95665452557F63866A126E30E4DD230DB28B2F40CB41F27
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: drawtex.com
Sending IP: 103.99.1.159
From: info<info@drawtex.com>
Subject: INVESTMENT INQUIRIES
Attachment: Term and Conditions 4.zip (contains "opoooooo.exe")

AgentTesla SMTP exfil server:
mail.aneeqllc.com:587

Intelligence

File Origin
# of uploads :
4
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/15330/
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.ENGK.190.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff3ae499f8f7e4682acd374391c6a8ae492cf0205ccd02a20a18f76cae6409c1/
Threat name:
ByteCode-MSIL.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 02:23:51 UTC
AV detection:
24 of 30 (80.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=745ojgpy67sgqkwng5bzdrvivzesz4baltgqfiqkdd3wzltebhaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20fa03ed146d67328f48a4609fd5a1f2f584576dcb93450661d4b6e1f9c269da
AgentTesla
353e157d4f8e9729a3cce3c7824bed4b4812a3d1edc885bbb6c949288c1c07a2
AgentTesla
3eb30019123e98c9b8540929e5d1e1251512539523ae9289aa33d205ef8d8006
AgentTesla
677cd89b052993db94346f82c1a00e3d022621ab71cd8101e41645d6f0a9933d
AgentTesla
6d0eafe3b01622ec934edc2e762c88f15ff439686e272af7b9a0fdb164861d9a
AgentTesla
738acd1b73b637e5aabce4ba985c985ba24917066adb94dd0773a7498649ad5d
AgentTesla
73b78f2caff5099ed61689ba82eaa2d6dc19bb1fa2d619b9429d5f876a0ecd68
AgentTesla
8f901388287c1af2dd8b842b84148350d8ea853c72b6f5d4fe3d8de7d87d8484
AgentTesla
f29f0a32dde99ca599dbddf62fb0d004a97095695c388ebd95eac22078a2f360
AgentTesla
fe74cea65dc52f21af1a2ac8b750b5799d50e7bb7943952f2b5c61bed1dc316c
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200629-zkqg6w1zzj/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e487efb2fabaf1e5b9479e7689765ef5fa6908195a0437974b22aa26253d6215

AgentTesla

Executable exe ff3ae499f8f7e4682acd374391c6a8ae492cf0205ccd02a20a18f76cae6409c1

(this sample)

  
Dropped by
MD5 d82af71e78fd2dfe9ecb917f901219f9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e487efb2fabaf1e5b9479e7689765ef5fa6908195a0437974b22aa26253d6215
Cape
Cape
https://www.capesandbox.com/analysis/15330/

Comments