MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 35d8fbdb864d9104dd1a9f05fe522b27bb6d278ea993a7863b298b66df06636b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 35d8fbdb864d9104dd1a9f05fe522b27bb6d278ea993a7863b298b66df06636b
SHA3-384 hash: 1c57032b466e3a3feede938826781242eba593f7d3d57842fc70a063a7a61b7f011c7f1041edd943750d5e44d3a78b3e
SHA1 hash: 3b97193151af016a51b712590bb6c1d796581300
MD5 hash: bd90b937f05109eca2c51d7c4f1bf35f
humanhash: moon-yellow-indigo-cup
File name:Crypted chidubem.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:511'488 bytes
First seen:2020-06-10 11:43:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:jefQgw0M89R6x2rifo0KT74IQJv8FZw8eM1vjr:jeffv9Ax2rSan47K
Threatray 11'163 similar samples on MalwareBazaar
TLSH F3B4AE8D3650B29FC86BC97289D82C24AB60A477572BD343A44312ED9E4D6DBCF152F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cpanel2.centrin.net.id
Sending IP: 202.146.241.44
From: info@besarbersama.com
Subject: official purchase order
Attachment: PO.4029530.zip (contains "Crypted chidubem.exe")

AgentTesla SMTP exfil server:
mail.ggdbandas.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
63
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 11:45:06 UTC
AV detection:
25 of 30 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gxmpxw4gjwiqjxi2t4c74urle65w2j4ovgj2pbr3fgfwnxygmnvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06bdfeb06913135fc27119ebf2c896d2ff3d30e05a1cbd53ad1d0f632a4fba46
AgentTesla
12afcd370e4beae67e78b936b7ba8035642ea4e5921a332b0a8ffac8452fa0ac
AgentTesla
41286add2d2794d8d0533d4669a876ebd5a729c6a6a887f2780fc2c1a50fcbb1
AgentTesla
4934d33a7f00d07cd8c4eeb39889b2089decc7274ab7fdc647fc28f21b0ad7ec
AgentTesla
57df36fc7452bb8ef66e18f5ca34deace335039f1ffe1119c975b547a788377e
AgentTesla
984dcd1e483c7b401fbc79d66b6b9d680d3afd05c570e42d6a02b803ed93cf61
AgentTesla
bed9018959954b065b562f8544a2cb32a39b4f6710694804164491844ed047ea
AgentTesla
e1ff434ecce0bc608bbbb204def5a11548e2b0e9105979d9b6c01486d7768e5c
AgentTesla
e70a32319ddb990bd412b11fc12e09e00105104fbd576e5e0f9c40445f910ae4
AgentTesla
ea3ab2906a0fbe3de7ec765a762d6537bdc51234d7be3391348cf45534e4fbe8
AgentTesla
+ 11'153 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-11k45c6ay2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e2a7702dd3c5b857f52bff7266c66af153cd4a2b225c568afc19acb58a22ba25

AgentTesla

Executable exe 35d8fbdb864d9104dd1a9f05fe522b27bb6d278ea993a7863b298b66df06636b

(this sample)

  
Dropped by
MD5 987c39e404770061c4d6df4b2802dde0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e2a7702dd3c5b857f52bff7266c66af153cd4a2b225c568afc19acb58a22ba25

Comments