MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b592308b29b6758a2ccfc2728f755be9f93e80e6712e39f0f95487723f808f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2b592308b29b6758a2ccfc2728f755be9f93e80e6712e39f0f95487723f808f2
SHA3-384 hash: a17d1b7d71b219e401619373a01aafe5010e0a8157c95fb4089a3186753f8a55a9cf5b0f3b32f263b8cca0d3965c20e2
SHA1 hash: 16200ca78fbfaac07c8a69ebb5ff9881c6582a1f
MD5 hash: a0e6917e2f70b620dae73bd29d83118d
humanhash: freddie-maine-twenty-mars
File name:REQUIED NEW ORDERS AGAINST 30ML LONG BOTTLEWIAP & PLUG_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:385'024 bytes
First seen:2020-06-17 06:15:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:0y86A1N0kN65+k0Xc7L1iIJ6iKpMV+u+D9xloIjjoCFE4K/trfeXxmln:0t6UNkj7JgivVKRrvjiTReXQ
Threatray 10'775 similar samples on MalwareBazaar
TLSH A384BE3D657D1BB7C9BDC37846C4082FF85056573A01AE5F98E70B9A8A49B427CC223E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: stopdistributionusa.pw
Sending IP: 142.11.212.111
From: Veena Bhise <hr@stopdistributionusa.pw>
Subject: REQUIED NEW ORDERS AGAINST 30ML LONG BOTTLE WITH CAP & PLUG
Attachment: REQUIED NEW ORDERS AGAINST 30ML LONG BOTTLEWIAP PLUG_pdf.rar (contains "REQUIED NEW ORDERS AGAINST 30ML LONG BOTTLEWIAP & PLUG_pdf.exe")

AgentTesla SMTP exfil server:
mail.hospitalveterinariosur.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19142/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.53822.11960.26758.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 06:17:04 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fnmsgcfstntvriwm7qtsr52vx2pzh2aom4johhypsvehoi7ybdza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
47f6cacd998a57442a950d19453874b725e689ae02ce9869cdec782595eab377
AgentTesla
64a41ad52d59bece56d2f40e5b37ff27043fd3cb40a390a28e18101ee2bd6c6d
AgentTesla
75baae23f80f6def274e340b17867d205068b34425fe6f7537c9667e370dec5a
AgentTesla
9b20b1817947f3b195de03856a8251019ca5f541256d450fe940c1bea7dabb45
AgentTesla
b3d8eff8aae92a5b55b1b1b8b11f1722f3065d4e0d2d0d8f248942e53d139d37
AgentTesla
d2f382c29e58d85ead80623251160b4fb8504d3a71890a63519c22c04ecc9217
AgentTesla
dff1e27ea5797b49da2a5c7ca8ef6af4b4681d9bdc3baf92ceb0db77cb00fc83
AgentTesla
eb18282566acfa61046f56dd07ef72397528a06b8765c6b033d5153bf9bee0eb
AgentTesla
fc6d76b83d4292945015a7a7b9440f510732a070d9d1cefd26fc3d46591cca9f
AgentTesla
ff4ce18a829161a6d3e62fdcc8ae87d234b8b964abf8e7cddb9f44e761ae4a7d
AgentTesla
+ 10'765 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware persistence keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-a5lgqrprzn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

ec55099ab42f8e56eaa1edf4e78f4500

AgentTesla

Executable exe 2b592308b29b6758a2ccfc2728f755be9f93e80e6712e39f0f95487723f808f2

(this sample)

  
Dropped by
MD5 ec55099ab42f8e56eaa1edf4e78f4500
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/19142/

Comments