MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fa927f3deb121b021b9d9ada6697febc104bbdedf4f0b0e3939096019506de1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fa927f3deb121b021b9d9ada6697febc104bbdedf4f0b0e3939096019506de1
SHA3-384 hash: 6a7d8ef7e2da01f459c85c4be21e1b970d2e9e125177dceed6b9f5c9773e17e9b583bf2cec1ca1485a942564d4143767
SHA1 hash: ce80b8b573827b215f4902ffe59d03c32294331a
MD5 hash: 6875bb8ffaa5150a5d01611a6eb2da4c
humanhash: paris-quiet-double-paris
File name:PO copy.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:748'032 bytes
First seen:2020-06-23 09:38:43 UTC
Last seen:2020-06-23 12:02:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 835da88d67c43f4fe574746a3f0a5463 (4 x AgentTesla, 2 x NanoCore, 1 x FormBook)
ssdeep 12288:iRQuwUPp7KdQaKxuTOdX1AJEqIN/LETzj5BL2eNmO0Neqxo8V7qNK:+XwURKdDiuy4EIBLTNm7Q4
Threatray 11'873 similar samples on MalwareBazaar
TLSH 74F4AE62F2E0043AC13756BD5C1F5B789835BE1139289A462BE7DF8C5F392C2353A297
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
4
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12944/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fa927f3deb121b021b9d9ada6697febc104bbdedf4f0b0e3939096019506de1/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 09:40:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f6usp466weq3ainz3gw2m2l75paqjo6635hqwdrzheewagkqnxqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
00983a8176276beea115d21fef7919c49b29b96d78dbc2151cc04cc7d8c95b35
AgentTesla
320e17480eb4024cefbe3bf5cd769e79af356c0da9808301017334b2e2e627cc
AgentTesla
3563e51807ec435c2bbbc598d685d7f4b785bcb92c1cca452ebe4f471da2dfa0
AgentTesla
6545a2577200349e39badbb0eb6395404a91e6e6c274cefeb83481de99d06a3d
AgentTesla
84684c3af14bee4d80ffe6ef27ac50f3e36d94212019810e4aed70fe0717c098
AgentTesla
93152b69f096e83b405df3768ebe3cda65140e176152ce5bd4f5b23df17aeda3
AgentTesla
9ebeb5ba44225161419dd3306fc3dcd8aae12ca658e582ad3e5b3c6bd744bca3
AgentTesla
a215d79e7703e7f3b7a4c83ec0588f8d803fee7395aacb48355f4388fa3bb45a
AgentTesla
bd41417bfd1a5a3a4728eda91829dfcf381d84029a929a5fc23a0c03397042f0
AgentTesla
e04ef092d8d3adad8c3f032de54a73451febc7af434e87e87aaba75cc3a1914a
AgentTesla
+ 11'863 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-nwst6fj5bj/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z ff9e2a354ac6e1ae74a8d6685a5414f36d9aa46857e16d025eb48dc091672cdf

AgentTesla

Executable exe 2fa927f3deb121b021b9d9ada6697febc104bbdedf4f0b0e3939096019506de1

(this sample)

  
Dropped by
MD5 18164aa2d4ed6a07f93e9b4254823c9a
  
Dropped by
SHA256 ff9e2a354ac6e1ae74a8d6685a5414f36d9aa46857e16d025eb48dc091672cdf
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12944/

Comments