MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2
SHA3-384 hash: a2a8fc6e7eecc7de4f82db3d3772fb69e9ae37329527f60e95886701f45d9461e96bba6e3cd02d212d08cd94fa8a70fd
SHA1 hash: 804010c9597571b9aad7b37f0e31474532b20d74
MD5 hash: 11cd289b080a87cf994d1da97cc5b575
humanhash: steak-august-vegan-ack
File name:Inquiry Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:491'520 bytes
First seen:2020-05-10 07:47:01 UTC
Last seen:2020-05-10 08:45:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:e+b2lUrDyovNI3OKXBERX6HZQhzykhfB4Q7x:e82Kyc+3OKXOx6HKzpfT
Threatray 10'611 similar samples on MalwareBazaar
TLSH 5CA4F01436AE1375F6B9AFB019E0E165CBBAB51378B4F37E49A100860AE6F40CD44F76
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp123.iad3a.emailsrvr.com
Sending IP: 173.203.187.123
From: Sandip Saluza <s-saluza@shergroup.net>
Subject: Inquiry Order
Attachment: Inquiry Order.rar (contains "Inquiry Order.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45342.16365.1422.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-10 08:35:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pe3gn3fjhjuovjwlwnhkzcemgvggdtc5sls7rwmumybauqydbcza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2313dde5b84de43d82c693ccd65fdc2efd1321cc0ea3d8c901094805935eb0f1
AgentTesla
2c4f41d645657a8be7da399765e00d1d7e170fc6d7114e14fff1c8d717fbca16
AgentTesla
4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108
AgentTesla
65e49a29cdfa1f1f91d5a59354ce7920a03b4aaddc0e26a3b002985d57388ea8
AgentTesla
978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
c01f7d088bbf081d5505e9356a6e1635eed13c9e8f8baef38f7a47c471067da2
AgentTesla
cb70c14b7aa724c2d1cf6881f0a864897d953c367ddbc002594da76941ac376a
AgentTesla
e06afa0c894ebda14b627718de1c45ac92bc1037a26592f4df7751c918bb1bc4
AgentTesla
f4e44a53a69291a3e254cc11fcf4dbe244f407cff4d919526a2532c65654ad89
AgentTesla
+ 10'601 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-4me2bfp2sj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 67174293be1ad3d354028d57b59c2ff54c2454f92934f42ead1cb56ec69211a3

AgentTesla

Executable exe 793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2

(this sample)

  
Dropped by
MD5 3b8275a9bb97dc6f628e68f4868a71de
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 67174293be1ad3d354028d57b59c2ff54c2454f92934f42ead1cb56ec69211a3

Comments