MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0598b4ce2460676755245bad49490a9c94ae85a074c2242adfa65c52b0ad3796. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0598b4ce2460676755245bad49490a9c94ae85a074c2242adfa65c52b0ad3796
SHA3-384 hash: 8e5a51d4071e5153602364c6e908698e6b2ff3c765dd5d09819d844b5f8771da8e4f2d4c6f2e4f42030403a8fcbebf11
SHA1 hash: 9a11eddccd0e3eedc55d548a4b0702ce34bddc36
MD5 hash: f4455f4b22f4dbd1ea488cd8afca5047
humanhash: oklahoma-bakerloo-oregon-snake
File name:POM01052020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:439'296 bytes
First seen:2020-05-04 20:25:22 UTC
Last seen:2020-05-04 20:43:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:KVEL5Ciln1qRg+P4PeO8C89FuaL/CFt18rdKx7:KePqGDeO8CuTCFtmr8x7
Threatray 10'566 similar samples on MalwareBazaar
TLSH 1F94F02477E89917DFFDC4B9F08492014370DAAEA282FBC9CDD25974CE47B72694224B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pldtdsl.net
Sending IP: 45.137.22.58
From: Daisy Ruth Pacheco<tradepts@pldtdsl.net>
Subject: Our PO No. M01052020
Attachment: POM01052020.GZ (contains "POM01052020.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.44227.15727.29554.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 00:26:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=awmljtrembtwovjelowussiktskk5bnaotbcikw7uzoffmfng6la._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
157e2d59ee91293baecbd5c998e21a5fd380bccf67bdc9168da44f5d20aada95
AgentTesla
201aab86deb0b609b895f6934d5a87b56384cdf01dbfce5e5bb2e970f91bb919
AgentTesla
219760dead477932b0a969b38ecc8d7ee41b2da4de72f32700f905cd705c340f
AgentTesla
7a7ea4a20add0c6022d4e72fe7d7e5558230447a95e0fbaca75780c8f248a9c4
AgentTesla
82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c
AgentTesla
895225b53f54d122a60d52a692acfe09a4fb64fbc2bea01746d2ec3f12e3a564
AgentTesla
9feec7852ef1647fa53b548d5d55ae251bd5df7f112f22a63238612b6ffad1ea
AgentTesla
9ff973461fe556e748939d04aab5d5c8452cdb6350d52dbabefb347fc461ef5b
AgentTesla
a563a898ce1c8dcac374ef8a468e39a185ca3b010f1a41b60731a7beac23f846
AgentTesla
fd9d2ae85f8ee25995f7b8580bffd4f4fbff641edf5852e456cbd9df3c2abd19
AgentTesla
+ 10'556 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-1lye2rkfqs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 0ab94bcd0c12334a883fda968d9ea6fd5b5085005d36a0654ed0f59c25a48cab

AgentTesla

Executable exe 0598b4ce2460676755245bad49490a9c94ae85a074c2242adfa65c52b0ad3796

(this sample)

  
Dropped by
MD5 c0b6fa9cd9146667997a40d824777d4d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0ab94bcd0c12334a883fda968d9ea6fd5b5085005d36a0654ed0f59c25a48cab

Comments