MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81
SHA3-384 hash: b3636be9d74f5fe8c101d3d90b353ba0024b5bc7056e5dd7ed2896b498f4d3c73de97c28bec67f551400c149ff3859f8
SHA1 hash: 5550e9bed859987c2a21fc2a3a20621805fc57bc
MD5 hash: e915458310797b8738f816e6231e139e
humanhash: beer-stairway-solar-maryland
File name:DHL Consignment Details_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:620'032 bytes
First seen:2020-05-06 10:33:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:gINjprJlckeFAypJXSu/2I9A80ab94dhx/8NJCibbb42et5k+nV/YLGmA:/rJllzkdSW0B8M2et5Hnd
Threatray 10'726 similar samples on MalwareBazaar
TLSH E6D4393D3A80A816F13D0E7244E952D262B7A5437E02EB0F3AC9475C6F527EB3B4D259
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cloudhost-186187.us-west-1.nxcli.net
Sending IP: 173.249.144.83
From: DHL EXPRESS <support@dhl.com>
Reply-To: worldwide@dhl.com
Subject: DHL Shippment Notification !!
Attachment: DHL Consignment Details_pdf.rar (contains "DHL Consignment Details_pdf.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 03:39:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fgehvzjqdu6dzjmeua3mg3cqtnjaazdey7w5q3tvmumng3hjlkaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
086131bf031aeeb372e3cdd11208f308854b5fc52e68186f738be9cddd01c032
AgentTesla
12a1af4ef81e1c6e71faac652ae0b27d26f7c0f8f03a1e5191e64efd85cf580a
AgentTesla
18f1ef2dbfc681bdc30619ac7d83ea4433716d0e1756025d72536b143fb6bf8d
AgentTesla
51bd8dfa22a6e05ec3c95e28ab55dd1fc64ff43cec0195245ac1f4630a5663e0
AgentTesla
566d75da52a7a8452233464bc0e22b5ee7242ccdc71cc8e518b76621eebe269f
AgentTesla
6c13cac565c109b9a426bb931a2d3d4b5e846e16a6a30f78076e0d2bdfe4577f
AgentTesla
7931c2fc08b888aee9fdcebc85e09b814f280227a2320692a3966328c78d7dbb
AgentTesla
7f53bd572119fdf76ecbbd85af8c3605a989a01d1fe3121353afff651b8ddfe6
AgentTesla
ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9
AgentTesla
ecefae0dfdd4a990c942fc9dcc0b375796922dcf03420de8d17e4529eea9632e
AgentTesla
+ 10'716 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-22hdp9243a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 61c390aada68477542e8e4f2b82bee0fd580dfe1893255d6f4d0dd12d7b2b2b5

AgentTesla

Executable exe 29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81

(this sample)

  
Dropped by
MD5 0be3dcbc2c7ae835d94ee83ae5495df4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 61c390aada68477542e8e4f2b82bee0fd580dfe1893255d6f4d0dd12d7b2b2b5

Comments