MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 444dbd23e6c28c0bb0042972032cf0e39aa17d1a868feb135cfd4f8715815cf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 444dbd23e6c28c0bb0042972032cf0e39aa17d1a868feb135cfd4f8715815cf7
SHA3-384 hash: 6fa2f48e4eda335075921896f2dd1690c3f2cf901ddda3157c252bb9b8918fc7138f5d197963c3ab02193ad377c846f4
SHA1 hash: 21f533172bfdeeac7ccbfdd95b1717fa10cac425
MD5 hash: ebcdbc67323558790bc62fac5eed5a55
humanhash: don-stairway-pasta-green
File name:softx.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:993'792 bytes
First seen:2020-06-10 15:04:52 UTC
Last seen:2020-06-10 16:08:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7d65399c5add7cb5e24be74fb6399173 (7 x AgentTesla, 1 x HawkEye)
ssdeep 24576:dpZm9/TXkFkZTdFBWwmMdHqHXn9nn6BkkqLQ:1T6prLktOxqE
Threatray 11'756 similar samples on MalwareBazaar
TLSH BB259E16E6D26433C172363C9C1B5375B82AFE202D29A9472BE5CE7C5F3928139391B7
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 15:06:06 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=irg32i7gykgaxmaeffzaglhq4onkc7i2q2h6we247vhyofmblt3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
05cd23e324a71fce04f7391dfff7074b5e70f28cf069c6c79a4589ed20704f01
AgentTesla
0aa87d2efeb052d60fab537d1057cc73e0161ba2d545e8f2d146a60becda9104
AgentTesla
16be43a5803d8d1e1adf07c669a6dc81f25b14846399a63c1079ab2403d8c0c4
AgentTesla
2a92c932dce172a743bb564ad5b5c0f4483f909d167ca7fd786146b7914f2e71
AgentTesla
2d2befbde778d8f017d6342f98b2260227671f7badc9014eb653b8e1d1663c16
AgentTesla
42cca3ae2e4d971b4bd7acc8b205c22ba675aa08b760aac654514c5578d74dc2
AgentTesla
65ba735b51860a27d7b7880d4f3153ebb4817e162141ceb4624f4f10862d2cfa
AgentTesla
864cf44c41eaf87e34e55bcfc4329ac2aedab4ec6badc8beeb6decc89ffeeaee
AgentTesla
89a2b42f0ece656344a8e98a0b0a4f28c93a56962507a816f071cd7c67bd03a4
AgentTesla
971fd2053d4a62223302474c983169287b78918339c7779fc9eadaafde0c8e2e
AgentTesla
+ 11'746 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-ks5pyjtcta/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Word file doc 52ca32d6213d87deb4dfcd3374da42985ba8ae335de4ac9a5e80791d104d7cea

AgentTesla

Executable exe 444dbd23e6c28c0bb0042972032cf0e39aa17d1a868feb135cfd4f8715815cf7

(this sample)

  
Dropped by
MD5 91f84a443b994ad5433c2d59e5869a61
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 52ca32d6213d87deb4dfcd3374da42985ba8ae335de4ac9a5e80791d104d7cea

Comments