MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27601ec31e6aee2d98c23980389925a398f590299feba12ef9eb5954b948df0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27601ec31e6aee2d98c23980389925a398f590299feba12ef9eb5954b948df0d
SHA3-384 hash: 0b9f88e93ed79925e0ced229f381c96687236db00fac782b3be03a53a460d2326b8aa0b04f7b479ec6438f4633ec9ea5
SHA1 hash: df564442b210bf65bfb02375b3e1a888922e522a
MD5 hash: fc7e33c84550991a0d28074dfdb779ed
humanhash: crazy-shade-dakota-eighteen
File name:PDA Query.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:702'976 bytes
First seen:2020-05-20 11:38:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:rSS9w9XTW/YG7tcuKVcavlkM9NWilSto2atj4LH4E1wQo8lRNzMlaMfR3:rSHW/7OJZSqNHm3atLQoQAZfR
Threatray 10'943 similar samples on MalwareBazaar
TLSH 24E4DF9136044D07EBCD85FD90E6D1C623B1B9630F92EBC57ED232C931B1BE6668258B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail0.83.igfxinvest.com
Sending IP: 161.35.214.5
From: DA-Desk FZ <PDA-screeners@da-desk.com>
Subject: PDA Query - Port Agency Appointment
Attachment: PDA Query.rar (contains "PDA Query.exe")

AgentTesla SMTP exfil server:
mail.kalatecnic.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 12:30:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
20
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e5qb5qy6nlxc3ggchgadrgjfuomplebjt7v2clxz5nmvjoki34gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00b85c15e241bfcd6a5a9d64029e117876da5029b60b8f4828f859277dafc6f2
AgentTesla
044f346090955fbda34aa50d2a670296ac175e76993ee9abc3ea2618b0a9cec0
AgentTesla
23be523b6362fe7aa10f2efad475684437ac048bb7c8dc01508cd4b731b66ae3
AgentTesla
4bff91911fbfbb6f44a3879a87f21b04b8dfee9653ae8200e954da862afa3b94
AgentTesla
6d64b4e9f5d0ce23f886c24e546fa03e0f4022835e5c98249a6d4259a5d7fef7
AgentTesla
7d02ae5ae3ed3b7a13ff5495174216ea3195764d7154b8e9b4997c74fd08fb09
AgentTesla
ad1ba35ad3e67c158d68821fc80b9b2b016fd511f0a527279c3f7da6ae50d49f
AgentTesla
bf15b6d8ed1637598fd2d08ae5f619a4c08c6b03372fddfa8f68f6380e735083
AgentTesla
fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
AgentTesla
ffb4e1b5e6ac64c969e3f90351eb0d401146f266b6678dfbff611faaf15a311f
AgentTesla
+ 10'933 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-tjfrkbb6lx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c68d5419657c8fc60c77405473ba808db91e32069a3d67ed8c406f9af8c122e3

AgentTesla

Executable exe 27601ec31e6aee2d98c23980389925a398f590299feba12ef9eb5954b948df0d

(this sample)

  
Dropped by
MD5 58feb1a3f450975ac9177acfbb9ffb54
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c68d5419657c8fc60c77405473ba808db91e32069a3d67ed8c406f9af8c122e3

Comments