MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10b1433fa8e6e2e8884f321df9310d3cc65b462a94e5c91e2313f79848beb722. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10b1433fa8e6e2e8884f321df9310d3cc65b462a94e5c91e2313f79848beb722
SHA3-384 hash: 26774cbc011861f256b7fa9bf46219f02367b5af03f68f253cb3e4cc0f765de30a2c5251f5a07f2afc6ee4f6dba21d81
SHA1 hash: 0e115755ad3ccd2e981be03c1e420ffe782078c8
MD5 hash: efd360e7b2f576349a350d5fa5c75740
humanhash: network-bakerloo-grey-eighteen
File name:efd360e7b2f576349a350d5fa5c75740.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:308'224 bytes
First seen:2020-05-05 16:04:54 UTC
Last seen:2020-05-05 16:39:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:E9stCTK3treJVpINq18uhBZTW7JrAkWKcgzD9XcOP5xItKm3txYmowb:E9/2l0x/hBKAkWKcgzD9XcOTMf3t
Threatray 10'537 similar samples on MalwareBazaar
TLSH 6A642B7DAB88B902F27E1D7251D1522012F1D4835D12C34F7EC4ABEDBF617C92A4A3A6
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-05-01 14:30:24 UTC
File Type:
PE (.Net Exe)
AV detection:
29 of 31 (93.55%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ccyugp5i43rorccpgio7sminhtdfwrrksts4shrdcp3zqsf6w4ra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05c1f772142b914a5761ae612fdd21cb2a5a7c8560f05b4410858024f6f2acc2
AgentTesla
68d01ee51cc0c90ef40afbd0b6a914de7d80c8cc347ffd80c1a7e0e888bde437
AgentTesla
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
AgentTesla
755757fe45ca7ec3347803cad3da8e3d964c330f4649e014b22d6851c7acc5ef
AgentTesla
7dc5080e23dd65c77173e910f536b267a24479d61131a43c2c5104df5fb8405b
AgentTesla
ac943c916f546d6a3194154ecb4923c9afbd1a513b7d3af5beba85e8d7047af8
AgentTesla
bd03cebf0f02bc3313ccbe3de2948e4981d52c983d2215c637dda38ab89863e4
AgentTesla
c4187fe250b35cb65deb03cb6a39fe1814ef4e425cf32e67f6afc3c9122600f6
AgentTesla
c63cb2c82dfd94ac6a40c91d5ebdd5d00fe6f2ff0dd785af1f312eff9872861f
AgentTesla
e726b85425a9c7ac3b74d7bb4b7d86079e66f22d27a4ecda2b002b2b7e1db7d7
AgentTesla
+ 10'527 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-zr6x7q8gz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 10b1433fa8e6e2e8884f321df9310d3cc65b462a94e5c91e2313f79848beb722

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/358428/
  
Delivery method
Distributed via web download

Comments