MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 52329d0ebae7ee1de8a7da5b8b20e642815e468237e10388130f4a0661daec50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	52329d0ebae7ee1de8a7da5b8b20e642815e468237e10388130f4a0661daec50
SHA3-384 hash:	5f2b5c2e6b4982cf7eb74d36810aa05e488aac49574ee25f8afa2888ec047b2273a0e6b288cc033c6d26c5b5b84d8068
SHA1 hash:	5bae64fca41305b2afe149fd2089d9bd3c48f460
MD5 hash:	b8cbd0ced8243deb0d7cba42749b96ce
humanhash:	high-september-fish-grey
File name:	CV_JOB REQUEST_Pdf______________________________________________________.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'539'584 bytes
First seen:	2020-06-02 12:28:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:ltb20pkaCqT5TBWgNQ7at6uvcUSe0N6vGEDs0m+JKUQQfICSHV6A:WVg5tQ7atpxeEA+JK7AI/15
Threatray	10'858 similar samples on MalwareBazaar
TLSH	A565DF2363DD8360C3BE5173BA157701AEBB782535A5FC7B2F94093CA9201215E1EA6F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mx.vvillowood.com
Sending IP: 195.231.64.82
From: Deborah_ Fankhauser <merchant@vvillowood.com>
Subject: CV FROM CHINA Covid 19 Health Manager(wash your hands stay safe)
Attachment: CV_JOB REQUEST_Pdf______________________________________________________.iso (contains "CV_JOB REQUEST_Pdf______________________________________________________.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-06-02 12:37:07 UTC

AV detection:

31 of 48 (64.58%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kizj2dv247xb32fh3jnywihgikav4rucg7qqhcatb5famyo25ria._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1e1cb929940cdd51d138037ca0b6be69441dbe86fe88d1e8d08056b0bb2b14f7

AgentTesla

2adb3891f61ab6b0331e50da04a3cbbfef3a578da513e8360cd567727ed5e790

AgentTesla

6468ac589dea9fba80c9671c62dfe200f863ad89f4af89e9f973eebf5cf6c18c

AgentTesla

675b4af2c5cc3648876edc6d33a2597a8a391e312f3291c778c4065919eafbd1

AgentTesla

7b30f4495b6650b1059c97b73bfb14d5ce76636cfdeaf3f5537a1973e625bcb4

AgentTesla

a08e9a083658a28c5aa4660f92dbccdbef5dea130a053f0ae6e02d302083528a

AgentTesla

c1929f1b7cf65c645f61b109bfd01aee7af27003a36d1b68e27425f6eaba810e

AgentTesla

fbb838e50d66456115e0d8ac30bfd63eeba487de13cd25fbf8fceef7f2dd1ba9

AgentTesla

fd570384825482aedb4d8eb615b643e89540a9283def1b0b326a8f6c1c3a1cf3

AgentTesla

+ 10'848 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-btvsvqcw9n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops startup file

Reads data files stored by FTP clients

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8cf80371c85303a77f65527dfcb01b3a

AgentTesla

exe 52329d0ebae7ee1de8a7da5b8b20e642815e468237e10388130f4a0661daec50

(this sample)

Dropped by

MD5 8cf80371c85303a77f65527dfcb01b3a

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample