MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 581d24eac46352bc994bf5a8fb47ac0c6a5b4215b96e1b1d6542da8e94923286. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 581d24eac46352bc994bf5a8fb47ac0c6a5b4215b96e1b1d6542da8e94923286
SHA3-384 hash: d75c7d24804f970a474f0ed1a85f905d6a583794d5e1872dbeeaf62b14f74aac996bee6850b6f3315bf94f993f622bb2
SHA1 hash: b8c185bdfb80a6eb82a9b60d810687d7c53ef47d
MD5 hash: 247b14513369f954dccfbb8185646d94
humanhash: seven-moon-quiet-september
File name:247b14513369f954dccfbb8185646d94.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:288'768 bytes
First seen:2020-06-10 10:00:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:orxsEApFCG9zyj+8lVQqNQ9WG658ok4E5VaNT8Yt6k2:ysEASGsFlVQqNj8Ix8YP
Threatray 10'601 similar samples on MalwareBazaar
TLSH 255429AD6B88B902F63D1D3249D1167013F194834E12DB0F6FC46EED6F537CA2A4A396
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
server257.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 07:08:11 UTC
AV detection:
23 of 26 (88.46%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=laosj2wemnjlzgkl6wupwr5mbrvfwqqvxfxbwhlfilni5fesgkda._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07314d5b91857ca3814c9388a01179c00d6fd8aeb8ff93a73327cffce42c8650
AgentTesla
0cb9e417f6d669eb497a3c451a30744cbe7b4bb5f7acb01d55956e1021303d2a
AgentTesla
12a1af4ef81e1c6e71faac652ae0b27d26f7c0f8f03a1e5191e64efd85cf580a
AgentTesla
18f1ef2dbfc681bdc30619ac7d83ea4433716d0e1756025d72536b143fb6bf8d
AgentTesla
246366b847f40185b79d4b7dccd159a0ea49b16043baa6c2898ad6dc88fcf0a0
AgentTesla
29887ae5301d3c3ca584a036c36c509b52006464c7edd86e756518d36ce95a81
AgentTesla
51bd8dfa22a6e05ec3c95e28ab55dd1fc64ff43cec0195245ac1f4630a5663e0
AgentTesla
70e99108b5577011f7484785487d9cb5149dd1070138fa121407658053322cdd
AgentTesla
77950def119777d1a1a47117910bbe7f1579bd91b9295f46f0ce31bebaa54104
AgentTesla
848819f3966f65691b8f25f9852dbda007bd01b73bc7098a1c1b8122993065de
AgentTesla
+ 10'591 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-s5n53fn1gj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 581d24eac46352bc994bf5a8fb47ac0c6a5b4215b96e1b1d6542da8e94923286

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/385282/
  
Delivery method
Distributed via web download

Comments