MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 215da2273362ea646fd6dacd5eda5156245f2c3137c89c3242f6e134935da38c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 215da2273362ea646fd6dacd5eda5156245f2c3137c89c3242f6e134935da38c
SHA3-384 hash: 516a653efeae22e6b612d83a8009426b86ba5d7c16e02f35b3f8415e01c8457ef5a1e73671da56150be2bebd6b22b776
SHA1 hash: 0fc76aba3051974581297f347e9efa2fdf89a783
MD5 hash: 0baa110d87eaf3551ac4fd063d6760b2
humanhash: chicken-crazy-earth-magnesium
File name:0baa110d87eaf3551ac4fd063d6760b2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:677'888 bytes
First seen:2020-06-26 07:19:44 UTC
Last seen:2020-06-27 07:44:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 4efaaf21b12695f01a3026d85b9437a9 (5 x AgentTesla, 5 x Loki, 2 x FormBook)
ssdeep 12288:0EWYuBQgNo1MTuOxYL1ITsHwDUyt3EDY7gw6FfflkiOelSVR:dtIouYueWd3EDYMwsflkgk
Threatray 11'767 similar samples on MalwareBazaar
TLSH 71E4AF21F3E04832C062153D9D3BD6785B2ABD5139586A462BF4FD0CAFF5E8139262B7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.almashosting.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14688/
Detection(s):
SecuriteInfo.com.Win32.Injector.EMHU.4343.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Creating a window
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/215da2273362ea646fd6dacd5eda5156245f2c3137c89c3242f6e134935da38c/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 07:21:04 UTC
File Type:
PE (Exe)
Extracted files:
295
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=efo2ejztmlvgi36w3lgv5wsrkysf6lbrg7ejymsc63qtje25uoga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0548e8d5359f46894fe4872bbba30cc48775d5fb909eba94e3534c8b018976af
AgentTesla
3434bb383c8dd721266f60e07820474205d70c5da9ebb465109ace7894567437
AgentTesla
394f162ad3fd881b928c5534c22a2c81c7db33b8c7e874645fa409599cfd5113
AgentTesla
3c6253d227ce48fa3c02214e2c38001814480e7f963dadb0f0833527c76111ed
AgentTesla
42856ee2d8599b42d168b9294458656c963fa31b0d9cf79299398d3c4126d5d6
AgentTesla
49a1cbfa2db53865a0e5378eaa7f906ef83e86969ca477bfae8a3004c692caf8
AgentTesla
565eb959d96fa0af1735a761aa0b87de4bcb887e80d3802e9cf92efe7bd2b554
AgentTesla
68b8730a3c5e7e57bac4f049b366aa82339f4e742632e26def24b3d3c1b939fb
AgentTesla
8740c69b19d17495a8622b3fc7c7c9bd1c39464483fbfe01cc1c459ef3773910
AgentTesla
a62a90789d488d851050ad121400c40bdcbad55ff7acedca829edff301b0342d
AgentTesla
+ 11'757 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200626-b6zgct5vvx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/14688/

Comments


Avatar
Corsin Camichel commented on 2020-06-27 07:46:59 UTC

Dropped by https://bazaar.abuse.ch/sample/a47c0d2b2a0cc81ad38471f8fe1386123f4e2c316fc1e0fa366527ba6d3079af/