MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4a5ba37101ef029435b69fe77e8af8924e4714c66a32390f83a5546025f42200. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4a5ba37101ef029435b69fe77e8af8924e4714c66a32390f83a5546025f42200
SHA3-384 hash: b98ec8b1ff807a1ec546b9b61bfcdac1d9fa8ec8d1bd14b32f7fe590e9af9ee1ea3806289147ef539934cd915ffbb40b
SHA1 hash: 58d5f994faa8c2aa93bc604992cb9aedca119735
MD5 hash: afe8ac2494492762e8ab91a08a00fb55
humanhash: robin-ink-quebec-triple
File name:Product Inquiry.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:588'288 bytes
First seen:2020-06-10 07:16:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'610 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:GxLl3LOMALInwHy7wJpggSJevzAViVkooiRwcZtikjSKaIR:GdRonS7wJpggS00mkoRz
Threatray 12'159 similar samples on MalwareBazaar
TLSH AEC45B6C32FA61BDC4D6D473C5D60C3096E0582FEE06D1C3A40B39AD697E5E68A0C9DB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.strongmailvault.com
Sending IP: 111.90.144.228
From: exports@lema-part.com
Subject: Product Inquiry.
Attachment: Product Inquiry.arj (contains "Product Inquiry.exe")

AgentTesla SMTP exfil server:
mail.karcek.com.tr:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 07:18:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jjn2g4ib54bjinnwt7tx5cxysjheofggnizdsd4duvkgajpueiaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00e8d6de1e2450594b8e61c5f8ce0b7c0b0aff075e72e79b7be035203511abbb
AgentTesla
24632af2c40f7670d76a42465d56891715eeadb0384df9e1ba8063451425c2a5
AgentTesla
2b115e42d37b2c740cf134413b64a79dd1486a08766d0d53a1fa70c9066163a3
AgentTesla
4106d7796887912eef46c78f6f62593d12152ae114e6e67c004afcaddb4296f5
AgentTesla
4b26c9e25fba0ef12ed1eb75cee46b2798aa51cec237a94630e39c63ad165a33
AgentTesla
4f2846c19f7e54543fae47f03571e84dcb40835e1d24d8d3b2cb17b92545a22e
AgentTesla
7193d497b1b85ec895b6d2c976a2d102a1a33d52b029a233d94a12cae12bd6f9
AgentTesla
79bbb6858997f49d3e688ccfc44206f89ab731a1e17b3be82a1c8062e7683913
AgentTesla
895bd4c8d2a48b22575765b56e28816dfec0a3ab991140a62cf76802c53a07bf
AgentTesla
9910df1ac6284683a19c1fe576367e0b4174dfa65846cce6d0b3a1663bd368b6
AgentTesla
+ 12'149 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-7k8zjx7l22/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 642f7117911844788c7a17cfd5c15e21ec92ecfd6ee481956c3d7d32f286c679

AgentTesla

Executable exe 4a5ba37101ef029435b69fe77e8af8924e4714c66a32390f83a5546025f42200

(this sample)

  
Dropped by
MD5 3fb6b09861da9bf78623bce8d4ad2328
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 642f7117911844788c7a17cfd5c15e21ec92ecfd6ee481956c3d7d32f286c679

Comments