MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108
SHA3-384 hash: c5e853883fc82f53a4c26b9a4c96cb9a111f9345598e2ae7dcd5b6c2de96d66c4490ad90c69388538e69733127b91f30
SHA1 hash: debe64b5daa0ec2a89d6c07a66e4b3c2e3ca8be1
MD5 hash: 4a440baa6a27dded117bc8b437ecc208
humanhash: early-michigan-solar-angel
File name:Order inquiry #LC270520.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:479'232 bytes
First seen:2020-06-12 06:36:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:kC7IRUWmG0xuZQfbMh2IEkrGvId/A/Wo2tD2Tz3:/ERQLYhWyjVAen2
Threatray 10'585 similar samples on MalwareBazaar
TLSH 73A4014A3B94B6FFC957C172ADA42C64EB60796B970B9317F013129D690E4A7CF090F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: websmtp.net4india.com
Sending IP: 118.67.248.221
From: Marie BIATCHON <sameer@la-cast.com>
Reply-To: marie.biatchon@tisa-ci.com
Subject: Inquiry Order #LC270520 From Tisa
Attachment: Order inquiry LC270520.rar (contains "Order inquiry #LC270520.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9089/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.8252.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 06:38:10 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=igloo62vlnjsbej7x72plizjcmhb6w4tl437ddu55kt3qpylkeea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38784e09ac572a99811a368a4cc4ba28f949b2ada8f0ce426de03a0bf7c2ee99
AgentTesla
65e49a29cdfa1f1f91d5a59354ce7920a03b4aaddc0e26a3b002985d57388ea8
AgentTesla
793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2
AgentTesla
89bd696df7073c78ebc27a60c79728b782ca27d1d82abc8b0d5aafea1d1d61d3
AgentTesla
96382f5a4c395562a3d763a7f61e09486af57987d43e5cd231063993bb6952ac
AgentTesla
978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
9d81a85ddc0cda68c4b9592df54155b4bf43f958cb17afa9a84c2f77bbbda0a7
AgentTesla
e06afa0c894ebda14b627718de1c45ac92bc1037a26592f4df7751c918bb1bc4
AgentTesla
fdf384c1cbcfbcd1bbb814f9d80ddcc4d2b3c786fda29c3a48ef7cde8f08d78f
AgentTesla
+ 10'575 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-cljy2n78da/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 627ca0600a0401e42a4c79718f302003ed0fd340ecb30c49e3a4c3f575e667ab

AgentTesla

Executable exe 4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108

(this sample)

  
Dropped by
MD5 1204fc26ae0f0783182d74ec17be7163
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 627ca0600a0401e42a4c79718f302003ed0fd340ecb30c49e3a4c3f575e667ab
Cape
Cape
https://www.capesandbox.com/analysis/9089/

Comments