MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 16f501d2feae839294dd37a8e99239cb38206c41c0d40071cd94f74e49bd0c0b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 2 File information Comments

SHA256 hash:	16f501d2feae839294dd37a8e99239cb38206c41c0d40071cd94f74e49bd0c0b
SHA3-384 hash:	a0d2065d00cbddaba5c1097f50e6258ae1f1afa3bee604949fd0e4a70534a04b8e45a19c49b2ba0f031e92d1a70455e4
SHA1 hash:	da047fdeb37891e9c27c753e6f39308b2b47022e
MD5 hash:	fd23492d40af3ae17cda9f7563f29949
humanhash:	kilo-hotel-friend-beer
File name:	xxx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	809'472 bytes
First seen:	2020-05-07 04:36:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:W60igYvJJL7XJAnY7IGWWDlZV8Iaffekfnaf/TQGzCmgqXghoAIae98oUqg:W60ixRJHX+nOIjWWdyz9iy93U
Threatray	10'567 similar samples on MalwareBazaar
TLSH	A6057D3F3B857815E53D0A3285BA65C0B272AA833602C34F79E597EC6F0339B779514A
Reporter	JoulK
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.AgentTesla-6952874-1

Win.Malware.AgentTesla-7660762-0

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-07 05:36:01 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 31 (58.06%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c32qdux6v2bzffg5g6uoterzzm4ca3cbydkaa4onst3u4sn5bqfq._file

Verdict:

malicious

Label(s):

agenttesla

netwirerc

AgentTesla

30a1ca2aeefb424928f5c772c30ef665087ae12cfe331e4d9380abf58b8f047d

AgentTesla

373bbf9fe0aa747106f165d07c474e8e73c891e0150c87c90d8f389a3621c044

AgentTesla

4917103eef77ce8fd5beb88efd446180445e0ee6ac933f5e42443d3673d62bc8

AgentTesla

6dc407eb41b8a813558364ae42dcdcce2019209615cc73141b9b6b91de15fd29

AgentTesla

82888e4c1b79c13b1030a983093f9c2452631f593ec65a3ec975964e1e3322e7

AgentTesla

8eebcb7d52c969e6bb4704f11022afdf9d61462f96ad27e6859863fa681c77e6

AgentTesla

9539edd2ef18098078d0835ecd1f4e5e5123eef9a3931f3e989fadafb95574eb

AgentTesla

9c07edc02d5182033a99b954e0ad56221d63af45954fd9580e8bb3018deb1abb

AgentTesla

ddd78da962ab1cd6366af9c647daaa7f234e8125c62b10cab1eeb715f4c0e514

AgentTesla

+ 10'557 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla agilenet keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-9a5sp8qmb6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Executes dropped EXE

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample