MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61f5d152caf6b824cc52b2f674caaa87d14163fff7af6186f7a380a451d244ec. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61f5d152caf6b824cc52b2f674caaa87d14163fff7af6186f7a380a451d244ec
SHA3-384 hash: 139adbe765958c1a6f931aee18021cc3c238540d8acdba1d50cf44cebb261a0a636deb0f092dda65c550330965ba9d6c
SHA1 hash: bb1d25fd09e913b2df365601ad9a15cdc9ae7955
MD5 hash: 925cba90f4d807751f01b7fa44d67af1
humanhash: quiet-floor-princess-hawaii
File name:MV JIA YU SHAN.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:647'680 bytes
First seen:2020-06-23 06:05:41 UTC
Last seen:2020-06-23 07:01:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:4BDpei9FlYd2di6BaPAl3IIcMbnATVs+M6qZNfYzIxNh8k757:4BDpNFlYdWFBaPEIIcMbn6VtMFMzIrWw
Threatray 10'691 similar samples on MalwareBazaar
TLSH 3ED40280FBD02691ED79477054A392D0137B3D2B95B1CA8A954CF62F1B73B02E256B3B
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12821/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WMH.613.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61f5d152caf6b824cc52b2f674caaa87d14163fff7af6186f7a380a451d244ec/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 06:07:06 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mh25cuwk624cjtcswl3hjsvkq7iucy7766xwdbxxuoakiuositwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
067a5016525f1df4467b7e098b851b6ef9d0feddf145fe0438538cfae3aa8410
AgentTesla
3a7946bae415fc7d5add7b6a5ca391fbe19a1ed621ebd370a9491f0e5358e500
AgentTesla
3d255c2fea31fd189b2420f2b9b7781a404b578db43b93d794b440d4d8d79d2b
AgentTesla
5a7d9f30e6fb3c3547e6eb91cd5252e7f516a983b1a8dd49fafd4c5d1584baa5
AgentTesla
78c61cb69dac32812faf5d16b82eed8ce956d3f8528625bc35d7011e7d933301
AgentTesla
8206a97c09a1edcf6d04125e7921ed21ff390de08fd9c7e4f3dacb4b43e4e9d3
AgentTesla
a055ab122f92c1f247a58260073621af704a77eb41a7300fcc863b3b4754e3db
AgentTesla
aafdc376b42922a324f0250c1670a3d4f197f3cb8a062360e1200263721af629
AgentTesla
c10d7ef1a099d990fe02780bfb9bb4215665643a924d771485fcbe5862e5e07c
AgentTesla
e19831bf62256c4c97a30d37b65c04eda5a3de110ba19f66d22750cbdfc9a5aa
AgentTesla
+ 10'681 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-a5gc6d1egj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9a414753b832747986bf63c4885c03f8bf3fa3dd7b25105af4217bb045ed0fed

AgentTesla

Executable exe 61f5d152caf6b824cc52b2f674caaa87d14163fff7af6186f7a380a451d244ec

(this sample)

  
Dropped by
MD5 ef8e73ad5eee059bea4e40739e1a3c5f
  
Dropped by
SHA256 9a414753b832747986bf63c4885c03f8bf3fa3dd7b25105af4217bb045ed0fed
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12821/

Comments