MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0ad2efeb1ec5e3a1d4157930f0948cc0d6b7c09abef08e386e4da6cd454f4f13. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	0ad2efeb1ec5e3a1d4157930f0948cc0d6b7c09abef08e386e4da6cd454f4f13
SHA3-384 hash:	01dbc0ccdc635cff85f40ea7606f27f81aa5a3e6c08814b5406e6697843483eca57fb81eb7594e37a8fb4a06b2a7aa85
SHA1 hash:	7313a5a42aac60f844330f2f573f687191d39b5a
MD5 hash:	dc50d72f7175ceb3e787ebfe3f92d099
humanhash:	finch-nuts-seventeen-california
File name:	NEWPO2INV_500B_DD278308.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	515'072 bytes
First seen:	2020-05-07 11:40:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:buaJWxtbXhMpBEqvaZzx8z8yBbNm6yWFdYtS:SaJ4bRMpBEqvaRxq71
Threatray	10'570 similar samples on MalwareBazaar
TLSH	DDB40148371D71FEE017C6329ED0ACB0D969B4A3329A937B9053114D86CCE8ACF95DB6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

Sending IP: 185.35.64.63
From: Louie Chen<alejandra@nagle.gq>
Subject: Re: New shipment from Shanghai-PO:B277418 & 278308/ 500k UNIT/SSHAM22011
Subject: Re: New shipment from Shanghai-PO:B277418 & 278308/ 500k UNIT/SSHAM22011
Attachment: NEWPO2INV_500B_DD278308.zip (contains "NEWPO2INV_500B_DD278308.exe")

AgentTesla SMTP exfil server:
vietnhon.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VUF.9307.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-07 07:45:00 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bljo72y6yxr2dvavpeypbfemydllpqe2x3yi4odojwtm2rkpj4jq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

25d747802b9ce8ff29860bc3fd6c9822b18108b8b0b1f0b781924203f4ff48f3

AgentTesla

75d96bd9b1835e445b9ea6151181cbbdfe64bf6686cf24d4b595591b951f5c62

AgentTesla

90761a87866077215109936cbce043901defad34d754f3488fa045cac0fd7a0e

AgentTesla

a028f5a581da5fc8e8c76ee28a1cd4d7ca0d44d211eec4153d7c5a4c96bc306a

AgentTesla

d7f11cc278c20baf70df2e5c59d06532b9164e894fcab195d6e5bc69ccf3af70

AgentTesla

e00520e9dbd220029d136401e441b14cc1f0b77272305a4ed045253b83c72eb4

AgentTesla

ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9

AgentTesla

ef815a60779a455c972b48db32df542ea756480065844ae3984da559e9faba5a

AgentTesla

ef99cb1072520b6ca4f08d4684f795a17e92dbca8ef03d3875da1ca2b33021c0

AgentTesla

+ 10'560 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-7kjrmcbcc2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

CoreEntity .NET Packer

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a1e176ae80f82e8376d16442b378d89d

AgentTesla

exe 0ad2efeb1ec5e3a1d4157930f0948cc0d6b7c09abef08e386e4da6cd454f4f13

(this sample)

Dropped by

MD5 a1e176ae80f82e8376d16442b378d89d

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample