MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20e0f8561c714292edd786c9d77983c8777d8d5740758e43c08ab899e5c00023. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20e0f8561c714292edd786c9d77983c8777d8d5740758e43c08ab899e5c00023
SHA3-384 hash: 61a072f05d5b447db571e777604b894c5067f6473687a3b908ca7368163b36a4f4e2564a3b1932082d35eaafa0d8d463
SHA1 hash: dcf0851a7816647a9f4d985741cc9a526ec434b0
MD5 hash: 249daa1c11b1c6f8e7097555a94bd56a
humanhash: stairway-mockingbird-cola-july
File name:167647227-54134-sdfnt4-2.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:840'704 bytes
First seen:2020-05-07 15:21:44 UTC
Last seen:2020-05-07 16:04:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:u+QF5scZDt5mFES04wu65it98tT1Mq75L:PQLl5mFEwBPtqtTx
Threatray 2'359 similar samples on MalwareBazaar
TLSH 9D05231247445541D5AC123F72FF63D306A38ECAF986BBDB8BCA42CAD2F53D51009A8E
Reporter abuse_ch
Tags:AgentTesla ESP exe geo Santander


Avatar
abuse_ch
Malspam distributing AgentTesla:

Sending IP: 62.138.142.11
From: Factoring y Confirming - Grupo Santander <fycouit@gruposantander.com>
Subject: Confirming - Aviso de pago
Subject: Confirming - Aviso de pago
Attachment: 167647227-54134-sdfnt4-2.pdf.gz (contains "167647227-54134-sdfnt4-2.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Nanocore.23.30754.3432.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 14:23:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=edqpqvq4ofbjf3oxq3e5o6mdzb3x3dkxib2y4q6ark4jtzoaaarq._file
Verdict:
suspicious
Similar samples:
296a22f132e22af9bf18061fbc7ca24168ede6efbc0c851a8434e6369b9c3284
AgentTesla
4381f3472301d8b680f90832edd05d853bcef530b48f0476ce7ad1f6b150434c
AgentTesla
5e5d665f261aacccd45ce0cdeb9c09190918eca48adf692919446bf5a2b8b2ba
AgentTesla
6301769547ccadd844e6dd6d8ac4b40258698d5cc3133aa8068fc623af8aba7b
AgentTesla
8180021dc09192fa9961d7f2fc35bd7224169746a9ca0e5fbab8569082173152
AgentTesla
b1998a0c1b801fdb6ac79dbda06dee6539eaf1d8a0e3c300a92339ce9151783d
AgentTesla
b85052d41b6c2615c0a857de8b3bb5f8cd18b19e5a1361ab506cc863906987a1
AgentTesla
da4bbd6957ac3ac81d2030c5cc1c7d062229ac5499318c8289977a771a17dce4
AgentTesla
e469882fa707c3f2f85c8bdd5fe250434f3fa5169ee71f8132dce99296b99629
AgentTesla
ebfb1ff1b4c2b59183abffb8fbc8fd8271d0756868ceca9b72b26cfee8030ec9
AgentTesla
+ 2'349 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-fef2kfnnxn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 9bf075b3f65175577943cc58e356164094b5c8ca8715aca2aea0f1ebec15ae40

AgentTesla

Executable exe 20e0f8561c714292edd786c9d77983c8777d8d5740758e43c08ab899e5c00023

(this sample)

  
Dropped by
MD5 6136b2442949fbe1c3bbdc0b7a52d3fa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9bf075b3f65175577943cc58e356164094b5c8ca8715aca2aea0f1ebec15ae40

Comments