MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0851af08d99952725abad6b8848bf8229c8db04ea48e53d5c35d59229b746da7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	0851af08d99952725abad6b8848bf8229c8db04ea48e53d5c35d59229b746da7
SHA3-384 hash:	71fa9ca45fcbd530acf046c2d3dd3316069492169b6cd151ee4505156acbb61a862872dc234c25346956c3f6781327dc
SHA1 hash:	ae6ffbc82cebc360eb6330a81bf9c0939c3b6484
MD5 hash:	ab4c1217935f026ffae7a6abd9a3ade5
humanhash:	north-hawaii-fifteen-saturn
File name:	ab4c1217935f026ffae7a6abd9a3ade5.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	766'464 bytes
First seen:	2020-07-24 13:35:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a95f64f710239fabb14f8033aa8f32db (5 x AgentTesla, 4 x Loki, 2 x MassLogger)
ssdeep	12288:4IFIvtUFqW6lJMK5/ZCasg48z1IWPhetOLyH/iwjgK2Ddek2x08+9Yz7UYy8J:PktUD6lJMmsL8KWPc1pjgKZZ6OH9jJ
Threatray	11'740 similar samples on MalwareBazaar
TLSH	7CF4BFE2E2E14833C1A7173BDD1B9F789835BD1139289A462BF51C0C9F396C178362A7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/32214/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.18936.27272.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/397428

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0851af08d99952725abad6b8848bf8229c8db04ea48e53d5c35d59229b746da7/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-24 04:34:42 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bbi26cgztfjhewv2224ijc7yekoi3mcoushfhvodlvmsfg3unwtq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

3bb9ecd9c2bb6b01ce8fe60b5301260dfb60de81c02517a1080dec678f7c1377

AgentTesla

400503c940e526fb69ee4ed11c7e23a0823dcb610eeb02619b460de0f3b2e21b

AgentTesla

6fa0d2b187fff4aa38d7fe7690608068aa1469b0f2de4391947027553723b43b

AgentTesla

7276f014cbee4a7ffd297a0e90472bfa17b024932cb6371a06c0845e143b88e1

AgentTesla

9507af5acd54cac5dce6b2dd74a9fa04b34b0cace818d339202c4f354bf0ffa2

AgentTesla

c2131d5a839d002b20f39535bf1ec0245059d3c2c54645d72e94fb0f37ce5700

AgentTesla

c7735f6ac2f05ee86942e0d7432cedecd7aa0cefd8d706e300b5bd0de9acb40d

AgentTesla

cfef6a351694bc6791363017e38cb725e77fef94af81a03a67186b97f1b3902a

AgentTesla

d63ec5231d1d805fcf8272f20282fa1bd9b94cc01c309a5eaaf32c1e09f9df6c

AgentTesla

+ 11'730 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200724-lky9ehc2fe/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0851af08d99952725abad6b8848bf8229c8db04ea48e53d5c35d59229b746da7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/32214/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample