MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51868d20e4a12a9c843de2e2265cd8fc72577d511d73a5451e8b891654e546bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51868d20e4a12a9c843de2e2265cd8fc72577d511d73a5451e8b891654e546bf
SHA3-384 hash: 366fd081585241dd51090f781a1899ce0d4dd5b071d34951325c000d1595af99974b86eab36d06a16c90e97ae16ae001
SHA1 hash: 931be53c484d47552097c51192c889b7f0ac4c1f
MD5 hash: 24bf6de00979b55c210b4c6974114903
humanhash: michigan-uniform-may-fanta
File name:Quote JQ102474.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:485'376 bytes
First seen:2020-08-18 05:40:25 UTC
Last seen:2020-08-24 09:14:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:9C94EcmZHAFaxmVmie9bngPA3CVXMD0fmthh3HQIqbuSVOAQraEY:S4EcmZHAFaxmVmie9bngPAIxmthR1O2Q
Threatray 10'688 similar samples on MalwareBazaar
TLSH B2A4E18C35A0B1AFE6F94DB5AC602C38879023271617FF079D13AAF457DD5E6AE040A7
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
352
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47492/
Detection(s):
Sanesecurity.Rogue.0hr.20200818-1705.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51868d20e4a12a9c843de2e2265cd8fc72577d511d73a5451e8b891654e546bf/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 01:36:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kgdi2iheuevjzbb54lrcmxgy7rzfo7krdvz2kri6roermvhfi27q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
188b806e1f68912656bb5156317e03ee2927658f4879edeabb6a2bae0406f1f9
AgentTesla
227edfe5a3f405840f8be7a96d205ddbd66707829e0118f049f2917d28d2b142
AgentTesla
3d009dd1124fdf76e4a5284fa421d54a0ec663abc1517bbf95c809bb36dd8863
AgentTesla
4b6a3f081e8c3446ceda38794bf4922dff17d04cd79759b4bd543b0c5df7a4a3
AgentTesla
52356a622db66e07663fd4cb2ed303bfb0f0272d2f21a3da414904e2c611600f
AgentTesla
551ef049bccb7a04aded3d024be74e299bbd9c39b4ede5eff98606f89b9ae44e
AgentTesla
6592c22fa9ba295820bfa259711ec8592417ba1048e3b8baea6a39cc0e95bca3
AgentTesla
7dc944bd0d2dafb252d4388f45a7d624ac5b6cf79ddfe72e3b5fb2db08ab1850
AgentTesla
82fed36e33e28ea2575e1d8e17ab4b34f03f72903f7b48ddaec1e2d021bb2c6d
AgentTesla
fb3509272ff65cf1f3521d230d912afde3af02dcf203ad045e020a4fd86ddca0
AgentTesla
+ 10'678 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-ka88l42hpn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 3dc26073489c5bc46197bdc084c03043c9c1867360a8e69550230fb85e0820ac

AgentTesla

Executable exe 51868d20e4a12a9c843de2e2265cd8fc72577d511d73a5451e8b891654e546bf

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 3dc26073489c5bc46197bdc084c03043c9c1867360a8e69550230fb85e0820ac
Cape
Cape
https://www.capesandbox.com/analysis/47492/
  
Dropped by
SHA256 fd58d6d9b18c848337006779c33b751b2a39e804a044f6a3e996ba61a59eb94e
  
Dropped by
SHA256 7ad226791548ee7c77e72ec1efaa233ddb1e9819e431214f2e2b49a9b6d65017
  
Dropped by
SHA256 dc35ba3560432e26101678dc5f55cfd03555038a9dae13c30af9b5092e36b16b

Comments