MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4cd208b0ee4771b0f54ac78092818f8c0933b0dbf6ba08c229ccf49b379a8ea0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4cd208b0ee4771b0f54ac78092818f8c0933b0dbf6ba08c229ccf49b379a8ea0
SHA3-384 hash: 1ae567fdf663faa82d913c5722d64d93851cba8d4b556312e2a1941a9b7c4b34053a2a221a8cca98cdcfb0024defe4e3
SHA1 hash: e566dfb53a234bb1d446ff6093eec1cc823f46c5
MD5 hash: 6af7956150ca819ed161db3c420aa00c
humanhash: foxtrot-uranus-sweet-arkansas
File name:mj.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:307'712 bytes
First seen:2020-05-05 16:12:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 6144:tRgpruyF3KA9DmwjVdgM4acozpG/BIMpsky9b:tR6CwK8Nupd
Threatray 10'535 similar samples on MalwareBazaar
TLSH 0664197DBB88B902F23D1DB691D2522012F1D0834D12C35F6EC46BEDBF597C9294A3A6
Reporter JoulK
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 12:14:31 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtjarmhoi5y3b5kky6ajfamprqethmg3625arqrjzt2jwn42r2qa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4119ad71f4f0b90b51e983fdf38008b853ebdfd0db175704d59fcbbc2adb8cda
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
67819aacac4994b55659a8f7924ec0384e667ee74fe5b431a731ac5baf69448c
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
82d3edc9ad7ba25feca5ef08641b0f030d92faa5dec17f3148e062b727a0240c
AgentTesla
a744e64bd387c4f4ef681744a8fd7d8ab024e3f6650302f24163fe506e92cccf
AgentTesla
a877edd01cd23c7ab7846c5f8e8820accb33965764770341300354f346a8e7b5
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
da95177191327894415885bd683840bbe593fefbe4ea00a4b054c264a3e5e88d
AgentTesla
e651957af4c527f8a23f8c3094232c887e2a433974ab54e48e2519e8361809a6
AgentTesla
+ 10'525 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-6cdxqby5ne/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 4cd208b0ee4771b0f54ac78092818f8c0933b0dbf6ba08c229ccf49b379a8ea0

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/358346/
  
Delivery method
Distributed via web download

Comments