MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e
SHA3-384 hash: 0311beea6382b9354d642c0e3a70076714f3f6b793c6c5df29432730efe13210ecb3f8f7be497b850a9c7039e5e13c70
SHA1 hash: 90765673c7dd564713b22ab4e79b5590e1ba1ce7
MD5 hash: 7cfc48fced26f7fa65143552af8426db
humanhash: arkansas-beryllium-golf-bluebird
File name:7cfc48fced26f7fa65143552af8426db.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:531'456 bytes
First seen:2020-07-05 11:22:47 UTC
Last seen:2020-07-05 11:45:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'817 x AgentTesla, 19'738 x Formbook, 12'282 x SnakeKeylogger)
ssdeep 6144:LRwTxEoV3U0njAyrA7guLMJssuGG/fbkV0259sY:LRwdE+E0njjRgNL/fbkVL5p
Threatray 5'085 similar samples on MalwareBazaar
TLSH 05B43F221D54C465FC481230D0A11B0B26679DEF3DC07A4BB189BBEB9F19E4C7BB4A9D
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/20656/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading Telegram data
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e/
Threat name:
ByteCode-MSIL.Backdoor.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-05 11:24:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=etehdj3d4ielvaxxzz67jd7kileweikjkqmb3rzpc7erclghjrpa._file
Verdict:
malicious
Similar samples:
0b95b126cf983c7a26829e8355d66de10cc1e085a3a981703040269ce43f863a
AgentTesla
12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960
AgentTesla
178cf2e50182606e000719ee8b7caa9c620950155542d10de6dd7eb5a2a34d01
AgentTesla
256966058fb63c734b270b6842820287bb83a5895d0a14a5b66f52db037405fb
AgentTesla
429cefff743820eac9d12ba43fb0c12bd77b854330164a74b6450230a31928bc
AgentTesla
58556055a31ae8d4e6bc4afd7feaf61439ea03860546796f6a1bc2cd100625ce
AgentTesla
5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
AgentTesla
b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e
AgentTesla
ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
AgentTesla
e363126219327414e0ab73a7b053e3c25bcfd656ff7b3b1f5db6e86076a93986
AgentTesla
+ 5'075 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/200705-bzgvpfw46e/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks for installed software on the system
Checks for installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/407605/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/20656/

Comments