MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4e00227920cf24a54644e3d72cf89d01900d591d138eec8dc9eb9682bdac788b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4e00227920cf24a54644e3d72cf89d01900d591d138eec8dc9eb9682bdac788b
SHA3-384 hash: 7221c0b2aed074e41fc2ba13b45fe3ccb17dcf640b6e3b330d71bf2b21a37423a5b540d95ae36155199eb0566768dff5
SHA1 hash: d735477ffd2225d6fd0268e49eb878f92cad87c7
MD5 hash: f79975d2de3c8bde7cfceb21911b829b
humanhash: lithium-low-charlie-steak
File name:SKMBT-2635278339.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:479'744 bytes
First seen:2020-05-11 05:12:33 UTC
Last seen:2020-05-11 05:48:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:5u6qfCek3cLaX0ilOyALLAqqhh5l8abJ3UvqX4Ue5BkjgCmlr:5jqfCek3cLaX0iliAqqbH7lp4pIkCo
Threatray 10'700 similar samples on MalwareBazaar
TLSH 68A4BF1036AD5725E8F99BF52EAC9081DBF1789A7894FBAD4DC254CA42F0F50CC60E27
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.10384.21068.32407.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 05:35:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jyace6jaz4skkrse4plsz6e5agia2wi5cohozdoj5olifpnmpcfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2a508f9cc9936cdfa3004c6b5c05103197846e605f36bed514fe599d31ecb7c8
AgentTesla
39f598e73c03390cc4caf9663c3cc455b26015afe4d221f07d02a639563ec696
AgentTesla
5a352b2ee786cc795f1384a14290a9bb06db592c529f0f4f50ab7cacd95bd091
AgentTesla
809cf96090585fbdf4cb22208dd0d07a90818cc87652d398f08336504b808144
AgentTesla
ac943c916f546d6a3194154ecb4923c9afbd1a513b7d3af5beba85e8d7047af8
AgentTesla
b2a303978225eae9f42504387edb087b85311f789d125edb4ead7066e7047afd
AgentTesla
b6a58bc3f41e4914190b15761baca60507bc4763dd6305c499c52f95ea042727
AgentTesla
bfa03a66eb0b9720abf3efe1e9a220daa682dcb69f6bb6febdbc56bb9624e77f
AgentTesla
ea027d907975381eaff6b9b98a14f303ad9f9d74b454dd55b9bd3b24b3b5baa1
AgentTesla
f1102765bde9d2485559822259bb55539749ae15cbe3378bfc4146586900fba8
AgentTesla
+ 10'690 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-vgeywsac6j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

92cee4318703fa2bd9932747b94425496988d5c78088a35ddcb4f882b35142a9

AgentTesla

Executable exe 4e00227920cf24a54644e3d72cf89d01900d591d138eec8dc9eb9682bdac788b

(this sample)

  
Dropped by
MD5 93e2330c735ca57992d2127b91ed854f
  
Dropped by
SHA256 92cee4318703fa2bd9932747b94425496988d5c78088a35ddcb4f882b35142a9
  
Delivery method
Distributed via e-mail attachment

Comments