MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4d69edbfb0ddf03fa20d939ec09c9c2b082f27d141294d2040be60fcce818eb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	4d69edbfb0ddf03fa20d939ec09c9c2b082f27d141294d2040be60fcce818eb3
SHA3-384 hash:	867f2a7f27a78f7ac886a116eab1dcfd1890226df05cd972736266d45756e11823ce4dff73a8e8e2587ba723c47f3592
SHA1 hash:	2bba47387daf60f2d5fe0b7649fa6ee5da1ee0cb
MD5 hash:	8093f3c879aae9d01605ae5364241525
humanhash:	steak-floor-steak-bacon
File name:	8093f3c879aae9d01605ae5364241525.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	743'936 bytes
First seen:	2020-06-23 13:34:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a3bfafd3839d7a926bcc393a99921236 (14 x AgentTesla, 10 x Loki, 3 x Formbook)
ssdeep	12288:mDRuXrEbb00e9ElcwOixtthKGc7WR5Sc7YpDqIxCX0h6jgB+s7xrSTvZcVRoMi4x:oYbQhe9RKthmg5ANxV6kk+rSTqVRovq
Threatray	11'031 similar samples on MalwareBazaar
TLSH	8BF4AEE2E2A048F6C162157DBC9BD7789C26BD5129245A4F2BE4DC7C9F3D381343A287
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
rs200.webhostbox.net:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/13002/

Detection(s):

SecuriteInfo.com.Win32.Herz.B.29682.7947.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4d69edbfb0ddf03fa20d939ec09c9c2b082f27d141294d2040be60fcce818eb3/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-06-23 13:35:43 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jvu63p5q3xyd7iqnsopmbhe4fmec6j6rieuu2icaxzqpztubr2zq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

2522fc0ce2abffd595456b71ae2c01d8dfb4fa3597d2e0d2aba38d1ff3ee42d7

AgentTesla

44b3b23719518dc900b8fa3cbc83c5f34ee16c2705b27363a179da16127afca9

AgentTesla

4e892591da59a34dbe9f193aee50de68ada3b074011a28f14323539147c554a6

AgentTesla

62005a4721dc55f0752df55ca79bd85ccb46ba28a34d10d8f29880e087b69896

AgentTesla

6c1d19babfa606ff54c791d86f53bc2fae6def5a101c3205d741d6fb1e5c3cc4

AgentTesla

701e84680fac486c256f487ab9c8a6d5c7efdba7eb653fc13481c75c7f9c1ed3

AgentTesla

bd41417bfd1a5a3a4728eda91829dfcf381d84029a929a5fc23a0c03397042f0

AgentTesla

d23143c08dadac0a9421456456e6b86934fcde6833dedd9461a9b1ec111e1931

AgentTesla

da1a14ab552e932d5bdafe6c783eda63519f14f5cbda5ce6c5fc2132a0c561be

AgentTesla

+ 11'021 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-q1teatnmc6/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Adds Run entry to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/13002/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample