MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 69e5a4941d5236dad068202444b9d7e6fa25944daef9f04e3eaf60ab77252ad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 69e5a4941d5236dad068202444b9d7e6fa25944daef9f04e3eaf60ab77252ad6
SHA3-384 hash: 6b57e15b2e7d2fa8c744160efcf9a8b577088695c76dc550951281aa3e490510ad6999ec452a0486393ba672eea907b8
SHA1 hash: 3a4f9c22b6b03671cfd3ab62965d5f3fc4cc7c35
MD5 hash: d5ca94a178285f520f0763e5b514354d
humanhash: carbon-kentucky-violet-white
File name:HIT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:513'536 bytes
First seen:2020-05-19 14:45:05 UTC
Last seen:2020-05-19 15:42:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:uwlhYWCwaPwQk1gyT8eAsnuP+LFqQIDNfi2tDX:uwDtaoQk1TT/AEuP+Lv2Nfi2t
Threatray 10'669 similar samples on MalwareBazaar
TLSH 54B4CF3C1698D666C9DD87B4CDA555040FE4C6EB8E2FE78AECA5B0E61D273C3940218F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: box.istanbulhmclinic.com
Sending IP: 167.172.33.133
From: Barry McIroy <admin@istanbulhmclinic.com>
Subject: REQUEST FOR QUOTATION TM 102018_PDF
Attachment: REQUEST FOR QUOTATION TM 102018_PDF.rar (contains "HIT.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.47138.20525.16290.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 15:36:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 48 (47.92%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nhs2jfa5ki3nvudieasejoox435clfcnv347atr6v5qkw5zfflla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
06d6ece1fa6b728d5b5f538d740a60626e99cbbe6df5bd5a5c3f2a8923b0fd98
AgentTesla
35f9060c0120cdc1dea18efbfa056d73bdd2507892ad7d6abf5364675c7e948a
AgentTesla
38a768da182507828cb8951cae8b8a6cb9399e07c7eec2b680277d3c2cbc2ce3
AgentTesla
423fe23fbd37603696146a6285bafdb4ab7bd9bfbc34b9665ffbbc5a9ea5b3c2
AgentTesla
7be3a3d6b712edfa50d8d5a443b5bd7719d57c9be6b7d34ebe2e3e4a7815e062
AgentTesla
828b44ee0da00ddfc797dc86f74153b773bef7673f798af3e603148ca0399b35
AgentTesla
8e06f5c0b680e598a1063b921faa1568b00608fae457fedc04a53bc4637977ef
AgentTesla
ba6a56d29ae56e405526f32fa7f365dd39c0192156e4a66263cb24f05490cd31
AgentTesla
e0b1475da71d2c099ae959dfe1d9406fe992efd535da154bf2e423e14e8376aa
AgentTesla
ede1cc754e047082946e0e3bdc5487406aa36881da14fc3f15fcf2d3265e8757
AgentTesla
+ 10'659 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-b1632x4mcx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 41f3f3bd87dd23ac978638b8022bcd30a069d4643efa9d59c53fbaa815bec7a0

AgentTesla

Executable exe 69e5a4941d5236dad068202444b9d7e6fa25944daef9f04e3eaf60ab77252ad6

(this sample)

  
Dropped by
MD5 e3360f9087c4b30555cdf09a3c37a073
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 41f3f3bd87dd23ac978638b8022bcd30a069d4643efa9d59c53fbaa815bec7a0

Comments