MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 555aeb6d9c6d4c69aea5e57bcfcc5e68313c95f03e1f2b79d68251d4ce066bba. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 9
| SHA256 hash: | 555aeb6d9c6d4c69aea5e57bcfcc5e68313c95f03e1f2b79d68251d4ce066bba |
|---|---|
| SHA3-384 hash: | 4fd8ed9664b7ec35926d7b66e7ad473461fc343bc1eb9b482051de6faba8bf599c330f32775286c0dafcd88ccf644860 |
| SHA1 hash: | 40ebae86d75effaf14796b3745d1657b3348da54 |
| MD5 hash: | 5011966630f696a1bf2c1bbac124afd7 |
| humanhash: | high-nuts-bulldog-six |
| File name: | 9862833.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 999'936 bytes |
| First seen: | 2020-10-19 06:31:12 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger) |
| ssdeep | 12288:HZmumjvWpF6NOCzvv9lT9cf5+iGkLwF5Uftk1PCq2ygChKFwVZQcVPbv9sp6Q2Df:HYumDWpI3n9lTCukLm5UimygJ31q |
| TLSH | 35258DC8B51031EECC0BD6319A79CC74A7123DBA573A410E54DB3D6B7BBE5938E250A2 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe |
abuse_ch
Malspam distributing unidentified malware:HELO: 162-144-89-139.webhostbox.net
Sending IP: 162.144.89.139
From: Jay Firdaus <sales@3dhsitech.com>
Subject: RE: 9862833- 3DHSITECH SDN. BHD.
Attachment: 9862833.zip (contains "9862833.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Detected unpacking (changes PE section rights)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Detection:
agenttesla
Threat name:
ByteCode-MSIL.Trojan.Variadic
Status:
Malicious
First seen:
2020-10-18 23:36:28 UTC
AV detection:
23 of 27 (85.19%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Result
Malware family:
agenttesla
Score:
10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
555aeb6d9c6d4c69aea5e57bcfcc5e68313c95f03e1f2b79d68251d4ce066bba
MD5 hash:
5011966630f696a1bf2c1bbac124afd7
SHA1 hash:
40ebae86d75effaf14796b3745d1657b3348da54
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
SH256 hash:
6fea87be5ed2e2931555b560b5e132c3d4238dbc51203e91d553248c150b9f80
MD5 hash:
1dd80124e1833375a58a263f8af5714a
SHA1 hash:
b43194c951f5b932d5bc520661f9a9f4840a4014
Detections:
win_agent_tesla_w1
SH256 hash:
a19ad91558f0c8488f60395163079d4b3a49a36dd7cbbbd7c487a2108db09605
MD5 hash:
8a3cb7b5d58576a59f9152e0a0bfe674
SHA1 hash:
fdc09a975d99bda42cd35e94a9cdd6f2406df579
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Backdoor
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTesla_extracted_bin |
|---|---|
| Author: | James_inthe_box |
| Description: | AgentTesla extracted |
| Rule name: | AgentTesla_mod_tough_bin |
|---|---|
| Author: | James_inthe_box |
| Reference: | https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/ |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | CAP_HookExKeylogger |
|---|---|
| Author: | Brian C. Bell -- @biebsmalwareguy |
| Reference: | https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar |
| Rule name: | win_agent_tesla_g2 |
|---|---|
| Author: | Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de> |
| Rule name: | win_agent_tesla_v1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects Agent Tesla |
| Rule name: | win_agent_tesla_w1 |
|---|---|
| Author: | govcert_ch |
| Description: | Detect Agent Tesla based on common .NET code sequences |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.