MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 11fb8b183a3d236fd9a880bf6be7d68b14ca69de28c8af2bf1d7864d595915f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 11fb8b183a3d236fd9a880bf6be7d68b14ca69de28c8af2bf1d7864d595915f0
SHA3-384 hash: 87a2df7eabf52df873fe524a9a26f64e4c9de530f5f4268a0a7620a8c9f9e3ebab71ff9df893415c5fddc38881a66683
SHA1 hash: 508906d8b3c61e9e0399f3491f61dd3044b6e199
MD5 hash: a184e8f13f9ea7acbfc1ba2a8fdd9656
humanhash: delta-november-august-arizona
File name:Quotation Reference Details.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:531'456 bytes
First seen:2020-06-03 07:52:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4yZbuhWm9MSwUH/TTiH1lHqL8pmFeWvVg66ob50eptyt2UO78d3s:ZuhWmqGffiH11qL0mFRg6PJ
Threatray 10'623 similar samples on MalwareBazaar
TLSH 83B4AE9C725072EFC857D072DEA92CA4EB5074BB931F4113A02725AEEA4D897CF244F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: thfourtyeight.tarhely.eu
Sending IP: 185.51.191.48
From: info@farkaskftcnc.hu
Subject: Required Delivery Quotation
Attachment: Quotation Reference Details.z (contains "Quotation Reference Details.exe")

AgentTesla SMTP exfil server:
mail.gajjarlaser.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 10:35:42 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ch5ywgb2hurw7wniqc7wxz6wrmkmu2o6fdek6k7r26de2wkzcxya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c0311a1cb921c213ce8b70d9f3b218c1297ece766bc209da2712cedab6960a1
AgentTesla
34389c63bfec9402befc3afc4d92259a43056b33d6e4b70054d50ba38d258981
AgentTesla
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
5a280ac4b15b1c6ed5a6c96c88d99c681574bd8a363ee386e69bffe62b995e6e
AgentTesla
61a1e5d143ee0c8d5929ac7386b60fa13baf8e43745f644aebc970e267b6f67a
AgentTesla
6920173eb3c5031387b852bd2dce1bdce04ed1199b914b72a009fe257d7e6766
AgentTesla
a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f
AgentTesla
d3955b520c38bb369e6d3c5e3304fb29e4699cec3aa549fbb8b7f7fe137abf5f
AgentTesla
d3dc0fad4580b2c3d0f5bfe27fd99d66b20f2a2c65c219218f9e6628a9df5d2b
AgentTesla
f8ccdf4d24a9ca91670d55df56bbea28e7e94f42c89d55e18843d123b3cdbca9
AgentTesla
+ 10'613 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-1ra684ch9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 413b08c1431731c81b119a7002dd88b6248f100a937e98f05243a2732b955278

AgentTesla

Executable exe 11fb8b183a3d236fd9a880bf6be7d68b14ca69de28c8af2bf1d7864d595915f0

(this sample)

  
Dropped by
MD5 b41988326daf8285e23b938c4663d56c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 413b08c1431731c81b119a7002dd88b6248f100a937e98f05243a2732b955278

Comments