MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01cb20a8b3bfd9f9f3ff5eb17abf1a48796e623f02f390fb952d89b24016c259. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01cb20a8b3bfd9f9f3ff5eb17abf1a48796e623f02f390fb952d89b24016c259
SHA3-384 hash: c353185b758eb9eb9f143171c5a87ff0ecb3bffd90ceef7c619ef9f9a3ce6c9f59affccbb73401ec360db92535eed088
SHA1 hash: b8ee58b457bd585e1e48a5e17da6efbe4eca1fc6
MD5 hash: a7917d5ebdf8acb2b98630e7e5699531
humanhash: jupiter-lactose-spaghetti-foxtrot
File name:a7917d5ebdf8acb2b98630e7e5699531.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:844'800 bytes
First seen:2020-06-15 14:25:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 66065bfa6851d704157ac187a0c7b964 (14 x AgentTesla, 4 x Loki, 3 x NanoCore)
ssdeep 12288:GYHdm1fBr+IwICEMytGbPGcbXDbE1Qla6RgVcP/7kvDxul+vblc+FZ0O1kqsi6xX:GyAiIlCPtfIv9XDHjRsi0
Threatray 11'616 similar samples on MalwareBazaar
TLSH A3059F22F2E04436D0721A785D1B6F785C2BBE196D28BFC667E4CF0C5E356B03925A93
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.fipco-sa.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/10510/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Injector.EMJE.18762.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInjector
Create hunting rule
Status:
Malicious
First seen:
2020-06-15 13:37:32 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahfsbkftx7m7t477l2yxvpy2jb4w4yr7alzzb64vfwe3eqawyjmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
27acf46938632a2dce525dcb8a6e131473bf2d54066de1fd68ee49558547c434
AgentTesla
4b1da5728b996ab79cb7b1a354473fdd36d9c3db938097183f6f4595ddab608f
AgentTesla
6f3a65eb596bf237c3aa6d02f1c22cfc1087e03904c6fab5fe86ea45e0463f4d
AgentTesla
72601c184a73a3def992b0bf596508387d7aa5dce9188be7840c1c25a9cbe7ac
AgentTesla
9085ffe21d4f55f9aaa5c9e63618b0a599ed6f7c6ad6f054fbd06ecddd5321e8
AgentTesla
90c2b20b2f904dcaeea6ca1e3a4fff5d586c3f07a0f958b3fd25202ab3a35d2c
AgentTesla
9426eff06a9e6de76b0168a39d457eebc368318ba1c468c8e6b04fe6f7b64b04
AgentTesla
a9a23a0d9df00e223a3c3b5c9ab750ae576b3217752e7a054435291b4d10a970
AgentTesla
d125bee4f4cf2d445a9eca9c8a88e2fa7f3a05dd615e5567ab7a22a6aefbe56e
AgentTesla
fd54073286010523ef59ce428c3ae8b92f87abce1027ed232befe46499bf5e53
AgentTesla
+ 11'606 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-w6ljgm7d8j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 01cb20a8b3bfd9f9f3ff5eb17abf1a48796e623f02f390fb952d89b24016c259

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/390042/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/10510/

Comments