MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01dbd21d13ed7e20516e5217d86d43ea1ea767d5b2593fd2ec7957d692dc7ba8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	01dbd21d13ed7e20516e5217d86d43ea1ea767d5b2593fd2ec7957d692dc7ba8
SHA3-384 hash:	e2aa138b3291e74e15f7ebef43a885806317e66b73f74206a5c41575e24aa16437cf9252ae06ffde40c5e0bb0e795dad
SHA1 hash:	4e7cf87013882b664e281a85fbfb9a5884d144c3
MD5 hash:	d1d669f6c451987e73857580327f2604
humanhash:	quebec-iowa-august-michigan
File name:	TNT AWB TRACKING DETAILS.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'765'888 bytes
First seen:	2020-05-05 13:25:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:Stb20pkaCqT5TBWgNQ7aCcRT3JdSkchquaH6I5Soh/17lGT73bo68sxYdaFtgsyK:fVg5tQ7aCcx3Fm26IT/LGT7s5pYo85
Threatray	944 similar samples on MalwareBazaar
TLSH	CC85E11263DD8360C3B26173BA297B11BE7F7C250AA1F96B2FD4093DE920161525EB73
Reporter	abuse_ch
Tags:	AgentTesla exe TNT

abuse_ch

Malspam distributing AgentTesla:

HELO: server.sturrockgrimdrod.com
Sending IP: 89.223.120.217
From: TNT OFFICE <info@bolivariano.com>
Subject: TNT Express //Arrival Notice // AWB #7008013580 5/04/2020
Attachment: TNT AWB TRACKING DETAILS.PDF.z (contains "TNT AWB TRACKING DETAILS.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

104

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Predator

Status:

Malicious

First seen:

2020-05-05 14:28:09 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ahn5ehit5v7caulokil5q3kd5ipkoz6vwjmt7uxmpfl5new4poua._file

Verdict:

malicious

AgentTesla

68f746d2933821737aafcf2bc00db8b8f2db8fe6b6aec4ea25eb0bf31b1c370b

AgentTesla

69a72a4e6627e9d4f81f2a4a7d83438fa05301a909093a2e86284d2bd3f9bbaf

AgentTesla

7e08e758f9ab52f92fb38a7d7f114ea84df6804105def422feadb8f631a6c8af

AgentTesla

80f56695aceb9a29286d4ca72ca2d54c02aeb3e2f22167392306701ed91a281e

AgentTesla

916e4a56e4263ba232f9d942d2818560c5c4b973187db81a42e6fc39de7a2852

AgentTesla

96e185894358d0c8c7f977fa2a586e6cf9e6e71ed2d6d23081633cd9d19c5367

AgentTesla

9bef20b54e2e90ef3afb0cc692ee0a4f5e843f38a3bd75aaee29e506f27d6b32

AgentTesla

b6b19634b174ec68dacf4a4f936d8ad91e4374737de56f1e3995b51f778f755b

AgentTesla

c2d6a58ae4cc93b225f512a127c751c63398d0fdb7f847b77c83cad6cb79e6bd

AgentTesla

+ 934 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-lcxdpfpbgj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

89290e2fe10625d2de45059112eb2abc

AgentTesla

exe 01dbd21d13ed7e20516e5217d86d43ea1ea767d5b2593fd2ec7957d692dc7ba8

(this sample)

Dropped by

MD5 89290e2fe10625d2de45059112eb2abc

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample