MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 238c9a018dbce6149172fadd2b55baac36b4f6abf2847cc5f9f0fa6d31b4ad41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 238c9a018dbce6149172fadd2b55baac36b4f6abf2847cc5f9f0fa6d31b4ad41
SHA3-384 hash: d2fbd86cce6b9acfcfe94b7f72b10641aaa71d501f982814ae6145d23703ed80c99fb883d19c4656cbb80060ff80e147
SHA1 hash: b2a0d5d1383cd74aae08c31c20c6530ba97e456e
MD5 hash: f6add06343c9e5805dc6fed62feadcf5
humanhash: winter-paris-bacon-winter
File name:SecuriteInfo.com.MSIL.Kryptik.WBN.28221
Download: download sample
Signature AgentTesla
Create hunting rule
File size:340'992 bytes
First seen:2020-05-27 10:44:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:fz9ay1kzdOJhB4UkQ+OeQ9vj7Zujv7HQhQvlj6/ZUM99xkeZox3jGnFaDtbkvJ6w:YyO2hBkDtivjovbxvlj6hX9DpZQ3jGFI
Threatray 31 similar samples on MalwareBazaar
TLSH 0B74020AEAB49BF0E43997F8C48706840372438B599FD72B8DD580DE14977641BC6AEB
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBN.28221.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 07:53:03 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
147309d384fd0ed8e6a3698651758454bce4f03b3df8a89a68a430ca8456d71c
AgentTesla
2a4abd200745105770d74dbf311c5c1b4cfff4ce743cadd3d0cce2060648a119
AgentTesla
7dfe0b47bb69bb9fb2972e346d3699ab7a0a983e8e70e4cf3bd300d1844d2fe1
AgentTesla
a2de45e108c6485ea29fb9952e55ca447df0414dfbefd5d0b7fd252c54d69d3f
AgentTesla
ad8a8821c9cb28b58d786906fb8e02a7c6c6fea304b7d1d80c9d40a199a4d9a9
AgentTesla
b02ff8c6708daa0385f7f5a227c85f9bebeb13e493a3f47f1caeccb1f1dc1ca8
AgentTesla
bcae322a6b33a3a45430e956f4051c920cb52ae6e843a3d476d8278a9a1ebfe4
AgentTesla
e1883cee535185cf45198efb88f2fb91e09c237c408d60780458b4c4fd50dcc3
AgentTesla
e40bb15dfd26c885e2c303d3d2a0cc1d63ce162f8414c0304cd268321a2532ea
AgentTesla
e4e29eef439bf36287f9dc660155697cc2d227fbccd34d95a8b59c5451ba5287
AgentTesla
+ 21 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-wvrc31xps2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 238c9a018dbce6149172fadd2b55baac36b4f6abf2847cc5f9f0fa6d31b4ad41

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/369885/
  
Delivery method
Distributed via web download

Comments