MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6b190569425a9948a6a74bb7acfa11b02f32688ab673e39ac48a44d3d258a825. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6b190569425a9948a6a74bb7acfa11b02f32688ab673e39ac48a44d3d258a825
SHA3-384 hash: a88c4c44c25c805dd81ec6ec5f7b8e10e7c1f5a78eb9e359ae42cecf5e1959e94e94367c03ede56095c010041f27a445
SHA1 hash: d049b451a481b5cf7168e3f0fde7106ba6fb70eb
MD5 hash: 08f1eebce7c4d5fc578d79fee02b6071
humanhash: sweet-artist-fifteen-thirteen
File name:08f1eebce7c4d5fc578d79fee02b6071.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:558'080 bytes
First seen:2020-05-20 11:57:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:IodTHODja++Zhk4cThlpirBjL+iW525dm28MEnPjCQDMvCH:Iohd+QavTHqBjL+iWI9hGj7MU
Threatray 11'017 similar samples on MalwareBazaar
TLSH C2C4E0143164C917C69960F8C895E3F047BD6EA3D592E3EB9C8A7EDE3AF23E64901143
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.hjspom.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 12:13:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nmmqk2kclkmurjvhjo32z6qrwaxte2ekwzz6hgwerjcnhusyvasq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00b85c15e241bfcd6a5a9d64029e117876da5029b60b8f4828f859277dafc6f2
AgentTesla
38c2603cbbeb9ee8216681d4def420dec1bb778379c850c168830d72dc7afaf9
AgentTesla
3aed1fc591ecfec392005089c870bd1f645f352a99912c1de774918e1de67f8d
AgentTesla
55187d6c2f610a3ce371a1fc9771ad42d90b7266c5e9ea45fced7acf9fe0ad13
AgentTesla
664f6eaa9564770b3bcf02dd9f3627bde68bf98de0d9ae17829a1b122060a313
AgentTesla
6d64b4e9f5d0ce23f886c24e546fa03e0f4022835e5c98249a6d4259a5d7fef7
AgentTesla
b0e38a8ec3125711431780be0140229b6389d3b60a3bbc7aa134cc33bcc50f9a
AgentTesla
ce132a11e36407341db1d51019d28597718f90e203ff091f2e03d72d8c6f771f
AgentTesla
d8450acc64ddba18cda3926697f2953a4bc632607bb975a31c8dbeaa882765d0
AgentTesla
fba5658815c50ae760c7baf3e1bd1bc7f3f78a7bf71066c4b4502b755b35826c
AgentTesla
+ 11'007 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-pylazz99xn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 6b190569425a9948a6a74bb7acfa11b02f32688ab673e39ac48a44d3d258a825

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/365268/
  
Delivery method
Distributed via web download

Comments