MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 8 File information Comments

SHA256 hash:	42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94
SHA3-384 hash:	77bd3f15831f20263028d2b463a03ab0a133e1ec17efb2d1d442d5b552403a47bb90902aed32b6db5866acc252aac03f
SHA1 hash:	6f8b27a1abaa8841a02d14a8313999fb5b7c153d
MD5 hash:	2e87993e6797708c27a14eea6b653168
humanhash:	timing-october-ohio-delta
File name:	42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	729'600 bytes
First seen:	2020-11-11 10:57:39 UTC
Last seen:	2020-11-15 22:41:06 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep	12288:dt8DjxMOnN/85eZBXj12ksOh/nTQbQ6fc2+hbI6oWHWt:dfM8uBR25wE3c2s+
Threatray	10'870 similar samples on MalwareBazaar
TLSH	2BF4D01127997B95E03EA779D42520018BF5B627E332D7DEBE9C10D90F93F845B22B0A
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-09 12:26:30 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ilq66yfbwljqzbj52m2ufkh255huct5i5kzrqcwrhcomn2vsjwka._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

787e10aed324cae24ab5136f95deb95efe8715a6bd7ced09028b2ee21d228a5e

AgentTesla

91611c980854c78b5da49e48553e20e646e4ab8d74f03fc4b2ced8058e818e66

AgentTesla

a558950f60aa2a7e34ac71c8a3013fbf576f485a9468ecfe5fdb0a1abb2cafbe

AgentTesla

b5bc74bcee96164cc5419a48594d9aade1ebc15c2dd2544e9caa68c4fc715ed1

AgentTesla

c18c5e02d67ca2dea08e13f3731c5dd0f5d8833bf2b606287c97e1d053564b85

AgentTesla

c2492c733ead768e887ed1ebb1d1ee48fe059bde4f4650f5674c7c66adcc0dfa

AgentTesla

c62984587e756c3238bf4694ed959c509341427c9f06fc4973c0e7f6fb614546

AgentTesla

da5de33aa29159ce3331c060ed0da0b17346037aa12960652d67ecc7ba6d44a5

AgentTesla

dc241ba360d33151f9653cfc416e88c6637d91c097406965809860a5317b76e6

AgentTesla

+ 10'860 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201111-e5d9hflnhs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94

MD5 hash:

2e87993e6797708c27a14eea6b653168

SHA1 hash:

6f8b27a1abaa8841a02d14a8313999fb5b7c153d

Link:

https://www.unpac.me/results/8322e6ec-fda8-4abe-9d42-fb60510cf8e6/

SH256 hash:

f7af768d1c66dd5895c1154e12a8e6a0d3ce1e60c3575ac831b71afd6b6cd3b8

MD5 hash:

b4e39024ba6c3b0a05eac9c311d05f46

SHA1 hash:

357da2077b64a5ed22377acee6f537d782b8b468

Link:

https://www.unpac.me/results/8322e6ec-fda8-4abe-9d42-fb60510cf8e6/

SH256 hash:

46f37cdb9452c813492649b3bc569128fe6ad066be21ec7308cad25e7d6d92e3

MD5 hash:

29a4dfc5fb3c8abfe2a1735d51d4d06f

SHA1 hash:

3a7fdeac0a00310218483d3db4c13504817ebd48

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/8322e6ec-fda8-4abe-9d42-fb60510cf8e6/

Parent samples :

472f99476aec6f45e8f8ceb4b851cbb5bc3ad6385cc98fc26878f741487f9310
938f2bb4ae9732027302ba4fb2b0c77a15fe7dcd0a25696b307abb812b58ae17
42e1ef60a1b2d30c853dd33542a8faef4f414fa8eab3180ad1389cc6eab24d94
2d1bf9dab94ecd03dad9f64f433659ff280ca22e425647575801a81cc70f9023
93f9d8f95b515c1ec624f934ac92d08c29fdef1ea49e69ac33c0882ba7373fba
2445a4f2550fbb06d432b013f4e148ec9cf69657df3bcbb4c2dee79e415949af
bcf99b299260fd3ab82d02b8ab2f4f9e5dca8373b25902a9cb6b764d3a8308f3

SH256 hash:

5cf5f4beb9248da9d64937c6bda3a6045a71b624362627bd4cd88a02381413e9

MD5 hash:

398ffe169dec842c5637b6ad883f5b72

SHA1 hash:

7bcb03a107e4c90c8e2aa510b7ddebadf4807c5e

Link:

https://www.unpac.me/results/8322e6ec-fda8-4abe-9d42-fb60510cf8e6/

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/8322e6ec-fda8-4abe-9d42-fb60510cf8e6/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample