MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fa1eb179872a0c83b944f67d300e1ee6afbe4c31afa3eb687eafaa1e8571e71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	2fa1eb179872a0c83b944f67d300e1ee6afbe4c31afa3eb687eafaa1e8571e71
SHA3-384 hash:	853b8365f5d2e34d997c89319a5f08dd1847d16880ce7355de98395efa549f120862f68632dff6f0d1c170e6abef1897
SHA1 hash:	e0fd370512aaeb7d2c39b6909910ba92e9afc0c2
MD5 hash:	d364e59279cc41f012972b3e819c3fef
humanhash:	virginia-hawaii-thirteen-undress
File name:	gpt.alarmasystems.ru_wp_content_themes_twentysixteen_inc__xp0phj5s.exe.malw
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	406'016 bytes
First seen:	2020-06-17 02:23:24 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:2DQjvhzPtVDgCgmmY50fezvkWksvy5McFPQ8:gQjvhztVdzc4v7kJ
Threatray	496 similar samples on MalwareBazaar
TLSH	FA84F1247113CB75C3AC51B6CB9B5908037C6A072857CB1E7BAD626E0E517CB9A12BCF
Reporter	ov3rflow1
Tags:	malw

Intelligence

File Origin

# of uploads :

1

# of downloads :

92

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Artemis.17237.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-16 16:01:43 UTC

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

147e0bd6d82f2f3d9b402dec62020c117350407cf2871dd73a14a137ae647fd5

2ba2967a4d170914094d511861a98d9be4f39aa45f5bed35e7d04013508f19fe

30e4e4dae89b18d6b6bc4ad98481862eed64806e84dceceaa328899185a7be02

7cbad73d42c4241072e2163720a87762f258cbeca1584839d7ed7ee1148559e1

9330ee2921887af4f02427f37ea2a7d0a296e2f82fe88c7001d73f74258ff92c

977eb3104726250bc364dcb5732a75c743c502bd816aef9c813ba73cb1ce3cbd

9ce61ae5037ceb9f8ce9dac6288d9125230dc58f58a4e1450e85081a8a620c15

c128856d5c14b0bdf9b327cc2abbec30cfdfb5c0692f7ac57bc22551037da339

c58f0824b5c50b5988d4aa44635c1027209920bd8ab9baa6be6bd75997fc86bd

dc61af34a94463996df082d9588b579b22f4b7bf6a63299d82cc51593b590352

+ 486 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla persistence

Link:

https://tria.ge/reports/200624-rstbh3gjn6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run entry to start application

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of local email clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/394874/

Cape

Cape

https://www.capesandbox.com/analysis/19011/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample