MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12d3bf5afd34673d3ef2ae96b832b63081e1a34e4ae790062035e2ebc24a9594. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	12d3bf5afd34673d3ef2ae96b832b63081e1a34e4ae790062035e2ebc24a9594
SHA3-384 hash:	71754cdcfa460c1123560c0eb098d00071f7d9170a06527826686cbf0cedf04cd6e39af69e4af09001c9b3df96326fa8
SHA1 hash:	a44c5c1555c147ac2b002f9694939cbdf9df7a85
MD5 hash:	4bdd9d655437792da1a32ef44c106e0e
humanhash:	quiet-wisconsin-queen-muppet
File name:	4bdd9d655437792da1a32ef44c106e0e.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	506'368 bytes
First seen:	2020-05-18 12:47:55 UTC
Last seen:	2020-05-18 14:26:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:AmusxD4B4MXYbQj8IugGbl5yvhzLfGkrAbdBEL8GygJ2NJ0Ubfsw32Klwxdts/5u:WNXYvoImvhzLOAAfEL5umUjs33i0bt
Threatray	11'844 similar samples on MalwareBazaar
TLSH	88B4AE29A78CFF64E937BA714146308541A1F8C76FD1F22BDB86365689139CC0CEAD93
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.hjspom.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.48933.2350.18541.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Agensla

Status:

Malicious

First seen:

2020-05-16 23:34:17 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 31 (77.42%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=clj36wx5grtt2pxsv2llqmvwgca6di2ojltzabragxroxqskswka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4ebbe65cfe80f43324e007ecd5a4ae3ce57b0d07873df267e70d2355f06a8199

AgentTesla

55aefb224ad3c9381b95d6c131b58141aeea9e59046eae8b53968a274108cfa8

AgentTesla

6091c96b49d47ecdeecf92bedc28bc057fbe0c64f505532f5441c363c2dd7159

AgentTesla

7ea6bd01e613bd93a63711630128ebd9e4f51c411db7d87c62031d06d02127cb

AgentTesla

84783d501b78575f30aa33097f9c7c885542b892512403424fc069b048189e98

AgentTesla

86432e782ec0089c5cc180a225cf8aff59409c0ef773c0e10e6ddf898b0508bd

AgentTesla

91966b77a6acc2fd64c773d8797a505c40ecd272ebb4b44a5757990b5e4939c5

AgentTesla

9b8107f42878501861702cac98baea7034b91231b362ce08741479aaf7c6cf4d

AgentTesla

d3793a581da66ef5840648574ce364846e7c68a559c0f5e49faf9e4892ecdc72

AgentTesla

+ 11'834 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-f7v2ktaxh2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample