MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 66e548774f497cb4dba29b195df59b74b351365eaa777f1516a1baa02805ab22. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	66e548774f497cb4dba29b195df59b74b351365eaa777f1516a1baa02805ab22
SHA3-384 hash:	ac462ea4914262e467276df1729cfa2e555a5b32b478fb3ccd96b3605e41c9b82536a3732e22e42a6dd38bccb3480454
SHA1 hash:	d5fddf51d46036d347319dfdc23d37627ed2d499
MD5 hash:	ce3c13ed9f70019df2816b652bbac246
humanhash:	king-romeo-eleven-arkansas
File name:	DHL AWB FILE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'176'576 bytes
First seen:	2020-05-07 15:33:51 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	05921bf5bfb2e768ae47538780e783b7 (5 x AgentTesla, 3 x Loki, 2 x FormBook)
ssdeep	24576:Ariopgj/L6x7yZURYHpI5GMrMMxjvq2DdkyQAXlW1Zk:A+oEU6HpIEMrMM93WAW8
Threatray	11'725 similar samples on MalwareBazaar
TLSH	A5459E22F2969437D2731A3C8C6B93A89F2A7D107D28B85A3BF51D4C5E392413D352E7
Reporter	abuse_ch
Tags:	AgentTesla DHL exe

abuse_ch

Malspam distributing AgentTesla:

Sending IP: 149.202.66.146
From: Amy <sales1@al-shahranigroup.net>
Subject: Up date Order Status
Subject: Up date Order Status
Attachment: Up date Order.zip (contains "DHL AWB FILE.exe")

AgentTesla SMTP exfil server:
mail.gascuenca.es:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL

PUA.Win.Adware.Webalta-6862190-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-07 15:39:32 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

29 of 31 (93.55%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m3suq52pjf6ljw5ctmmv35m3oszvcns6vj3x6fiwug5kakafvmra._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

63639cd2d113b84b973583108166093a5d5313719cd2b8945b17738ae52a6291

AgentTesla

640b8fb7d9f4d83299a5b00069886616bf90d5e77e6007ee40ab2cd0f2f0f410

AgentTesla

8359aef736bf6288512a9d20ed65d3c2981c55ef52421e47ccc287316fbcf7ca

AgentTesla

acbcb4df85d5f9b834b53599b13447cac78dcae89cbf9ae396ec7f932ea174cb

AgentTesla

bca55e158b112f5d776f4402d48cdfaf5ae42b4d8f2e063ac69ba2405bfcc60a

AgentTesla

be97c3f71385314e1d4da565788beba4633afd5d41c1a58eb3600b420becc747

AgentTesla

bedf32a0048ee8ddd12e64f570588de6fb87d1e6931bef8ef863997f35139228

AgentTesla

dcc206d54d057142a23f0f00ca30ed924d4b293bbd1cce16f1ca4a946718892a

AgentTesla

fd109cfe95d8da2681647dd8f860797e521710150721b251277ea7d1fdcc8c88

AgentTesla

+ 11'715 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-q95y35l54j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar