MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b215f12b5c2f2551558585ee9383431d50812c0b62f97c8c5f6b55a849dfdbd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b215f12b5c2f2551558585ee9383431d50812c0b62f97c8c5f6b55a849dfdbd
SHA3-384 hash: fbd2b5298693ed9282032197ac3858be2b0f197845998a1e9b606ae86b33ecb8ab78146f5abc0a30cfb76f41fb2d3df2
SHA1 hash: 91c7a1c0932a206f4a3088614b87d8d1c6b349dd
MD5 hash: ad9e75028392cd40cee05fe30a193c21
humanhash: nebraska-november-sixteen-maryland
File name:Purchase Order DAWOOD PROJECT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:472'064 bytes
First seen:2020-05-20 07:57:17 UTC
Last seen:2020-05-20 09:02:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:912GhNF2GhNCboWvQD0p+3i7oA1WokVFbjcy/lrgk1x+kUVzadx8Mm3YSbFC7:912iNF2iNPSUDFncy/lrgk7I5aHqs7
Threatray 44 similar samples on MalwareBazaar
TLSH 28A40142F3A84737CBBA17B605266E661F75988ADA51F3991CCC338E09B2B147500BDF
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 162-241-215-51.unifiedlayer.com
Sending IP: 162.241.215.51
From: Mohammed Mehroz <info@dawood.om>
Reply-To: Mohammed Mehroz <noblesdesks@gmail.com>
Subject: RE: Purchase Order DAWOOD PROJECT
Attachment: Purchase Order DAWOOD PROJECT.rar (contains "Purchase Order DAWOOD PROJECT.exe")

AgentTesla SMTP exfil server:
mail.oaslifting.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VZJ.7129.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 08:36:36 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 30 (83.33%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fmqv6evvylzfkfkylbposobughkqqewawyxzpsgf622vvbe57w6q._file
Verdict:
unknown
Similar samples:
166e8f703c8742e8cc452bc1bd0bab6381eb636bbac96b98a610120616e36d4f
AgentTesla
302861906823488445aa55798c426bc5dbabbba3c3f3451f0315fb2b65ee67f5
AgentTesla
3b9249c30657d9a00ff3bba9aa8f65e5985cfe00d76a10759a3578d29f58a93b
AgentTesla
3c1ce75269219a15d338a103c5e5baf8629438d062474a7c11e3792fdcabdf06
AgentTesla
52f137c22685d15df043daabdb9c823e07ecec4df42bcc2fa2c5bd45913d32ea
AgentTesla
7bb95adca7fb0ae8461549f2edb54df110c16a94113f1d1db725ce14672da18c
AgentTesla
7e6e816dbbc22c332a1abb111dd3ffee00bf301aba6af9343b4caf78be3d9a35
AgentTesla
7fb38c253c297bdd3fc18c3c3d98e7c3010c15e868eeb395a740f49d6181d20d
AgentTesla
862ca07718035a806f80bb71e2e7de8dbb042803ed854aa332b98adcc7cb8a5d
AgentTesla
8f1e4d566bca753281462bd0d67815385c0d06eff9ff67e691831a0db757701c
AgentTesla
+ 34 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-f9ysvl484e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar aa819170383fc207d1f3da2d98396bf2d4f37268295450c1e8fcdfc1c25a88b8

AgentTesla

Executable exe 2b215f12b5c2f2551558585ee9383431d50812c0b62f97c8c5f6b55a849dfdbd

(this sample)

  
Dropped by
MD5 2660269385f46ebfcda51cff6826fade
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 aa819170383fc207d1f3da2d98396bf2d4f37268295450c1e8fcdfc1c25a88b8

Comments