MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4227b2c2e57cce8f1b8261a41d08d3a2f98e5034d9a14a11c376a520fb8ed284. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	4227b2c2e57cce8f1b8261a41d08d3a2f98e5034d9a14a11c376a520fb8ed284
SHA3-384 hash:	a01d09514009c2241dbdd050ac8ce0660a9de330b864972ff2e0f54c94f6d5b794acd407f6b026e70da68414bfc303e0
SHA1 hash:	df1272d651c8ae9799816c3aa14eb14bce28386e
MD5 hash:	f04b4e105c49164353a2b4d074d30f64
humanhash:	sodium-east-december-beer
File name:	12 JUNE 2020 DG booking CMSSG2005014.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	407'552 bytes
First seen:	2020-06-12 19:28:52 UTC
Last seen:	2020-06-12 20:35:29 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:1hcCw3Q6fZzOHy7mHirmuzC4OMQVCk+Z:1S3Q6hSHypJQQZ
Threatray	10'620 similar samples on MalwareBazaar
TLSH	8784124772E4BB21EB3EA7F924F5569A2BF1211E8823DA8D1DD101C31D717620E9DC87
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/8024/

Detection(s):

SecuriteInfo.com.Trojan.Siggen9.53695.15335.29654.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-12 17:02:13 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=iit3fqxfpthi6g4cmgsb2cgtul4y4ubu3gquueodo2ssb64o2kca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

59ae70d9d29e851c8564e7974ac853daa40d6ab9adb6fccf1b990042c8b2be03

AgentTesla

66f1141f641be090463b0f797b11f348ba8c34f1fdd2f48f91b76604d9a6c707

AgentTesla

7faf593c0d611ccedd668298146e559bcbebcb3149efd5af45269a862b4806a1

AgentTesla

8e7bbf8a58e3633c72514c11d5a4c161a6d2a2c9fe04111375ec4fa82580baef

AgentTesla

a81b0fa11e6bc26ac9811b8c3bb924d629c1395f8e6421e27acf9e76e71ef753

AgentTesla

b728bdb1b447a5ddaee163be25143ee8c04de2a71505eb61ad5a4001a8198084

AgentTesla

d6198a40200fe7f0c1e05017388bd14d7c1cb097767dd2bf06713f9f0dc1f488

AgentTesla

f03f7b19fd5b10cadcce4dcdaf7bc0f3e623a2ba1d6677e767c5ee4e3a042a66

AgentTesla

f40c12c6a297adb4e60fe4aa09f691f9d697b6c6c676449a434a5879919cceff

AgentTesla

+ 10'610 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-h2vy298kga/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/8024/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample