MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 58691961ce7be790966ab5f9b3e9e9740af77b78a36209c8bcd6c229bb1563bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 58691961ce7be790966ab5f9b3e9e9740af77b78a36209c8bcd6c229bb1563bf
SHA3-384 hash: 91ff5e479ab5d347e597b1fcf11d4681814521cd253ea29ef7074793e47b429ec1ecb6e50f39598698ea705c802cb736
SHA1 hash: 4f002141bd8e83d092b5360d83986fd0f86bbdf0
MD5 hash: 1aeae5070a32d27f20594f18c91b6168
humanhash: minnesota-lemon-zebra-whiskey
File name:yxyvrxqg.xfb.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:355'840 bytes
First seen:2020-05-11 08:03:22 UTC
Last seen:2020-05-11 08:58:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:VD1Fw/NefdIaorDsaDSQkjoa0ZqmHCVesrOTH7cZe5FUF1OL6Ma3urVyxCPwIvcb:NgFefdxorDJ2QkjOZjofKHlFUyL6MhVJ
Threatray 54 similar samples on MalwareBazaar
TLSH 76740210EF6CCB75C97B48BEA8714E64839006A9542BEBB79D48781C1D833D29FC16E7
Reporter abuse_ch
Tags:AgentTesla Citibank exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gold1.leartes.net
Sending IP: 62.138.0.172
From: Citibank <uae.citibank.statement@edelivery.citi.com>
Reply-To: uae.citibank.statement@edelivery.citi.com
Subject: Remittance Advice
Attachment: hesaphareketi-01.zip (contains "yxyvrxqg.xfb.exe")

AgentTesla SMTP exfil server:
mail.oxolook.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.48596.9018.16665.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Ashify
Create hunting rule
Status:
Malicious
First seen:
2020-05-10 22:08:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lbursyoopptzbftkwx43h2pjoqfpo63yunratsf423bctoyvmo7q._file
Verdict:
malicious
Similar samples:
0fca6f4fa44279707d8baca71d47f79687c62f528d0e872dc27c393e15567904
AgentTesla
15c86f03a9ef0aa9720a510fd21972a675d15c40ad3efbf52ff2e5cc9bb86c57
AgentTesla
5b37cc85fd190a6b4726ea57f2588b5a74acc2c51e2917363c226b73ac79118f
AgentTesla
6e204b5e206dca168575d270ae14f416d5e4a55c19361ce490c91cdd644a1672
AgentTesla
7aa6630f2551f50849fc18f793c16fce8095c0d415816735442342c2e69634f9
AgentTesla
7fab681c57b3f8918c974e5a436b72f9a963ae8b4d4ab5592ceb17cdb57f14f9
AgentTesla
8b821e88c568d00613f802e79eda4c77913a09c7760dcfdd80e8886b0a8bd8f1
AgentTesla
c67a5532da224bed43083a33864a2b276e35fae9a5d29b2ad80bda492e6c6bb5
AgentTesla
ce87eb71c655ed8e6fa17b9db6b5ba633e468b27d1ffd2a8b931b391bad84bfd
AgentTesla
d2fb5b8b623b7bca926fc2d6e92fa81360e2375af49a6d08ce1391282a9b4276
AgentTesla
+ 44 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-mffx9jww62/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 23a2aa989f0269b0d5a2afb2a1dc5147ee2ef46a521275841292d81d451694b3

AgentTesla

Executable exe 58691961ce7be790966ab5f9b3e9e9740af77b78a36209c8bcd6c229bb1563bf

(this sample)

  
Dropped by
MD5 667fe701f0d7e296afaceb2bc69fa513
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 23a2aa989f0269b0d5a2afb2a1dc5147ee2ef46a521275841292d81d451694b3

Comments