MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702
SHA3-384 hash: 681f8b2db34424a42a1ed8dfa1fa4909bc46632bc562dd2a9e118c0e4b6379080c95ba7a431dead90a07d4ac6d4ac95c
SHA1 hash: 1e23cde32f44ea7e2eb4a23248a8c7d40b595e2c
MD5 hash: a6da76fa51f029d56650a892efc0f353
humanhash: twenty-carolina-december-equal
File name:NEW PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'248 bytes
First seen:2020-07-09 07:34:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:7MTOiXRlB+w5lC3q+phprW/KePpEjZQacTaulCSRO68Yx:YXRuuC3jh8/KUTLTESR3x
Threatray 11'350 similar samples on MalwareBazaar
TLSH 6BC402BA72242C23EEF409FDC476B3501FF59813A0E6E2D85DDA31C966E5FD864401AB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: somaci.com
Sending IP: 103.140.250.133
From: NOOR TEXTILE MILLS LTD.<Noortext.mills@hotmail.com>
Reply-To: Noortext.mills@hotmail.com
Subject: New Po
Attachment: PO.zip (contains "NEW PO.exe")

AgentTesla SMTP exfil server:
mail.cka.com.sg:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23501/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 02:33:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qd2bucorenlcautcxn33c3nov4vcqsuj7vzxwbbbjgsca7ywy4ba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1aeebb408f994fab29b26a81576cbd195faf9d4a1e0ef4c299e38b970e43de2c
AgentTesla
1c2f10aaf4e8b9a9e90316e8b470616bac893609cd85374cb11bb4a1a3971e5b
AgentTesla
3305e88d2594770eced662a94933358d2d1d57534aebb9c6b7876e50de58a8a1
AgentTesla
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
AgentTesla
48ce0e9cc96cb8d9ebe92bd7c1982e84d48baffdbada44d5949370a58ebae901
AgentTesla
547e52557b519e2b169e8a9c5932e2d7ce615ea34d54348d5d87033a545b6362
AgentTesla
9c5da09379aac3c9b0c5fe8dbca524809a1109f2e57b218b5f48b9f2e32a4bf0
AgentTesla
a4d4f50a2dff36ea8d3f92a832578a875c3f6a3ce227f1263114bf9dcbe9e335
AgentTesla
c4031838bc163076ff2845546cad4c409d9cec8a2100d78d4ea1ea75579f7c37
AgentTesla
fe853873f403fbfa348d5d8439e86fd98e6b70253a5bf85be85f3b9092a3ef14
AgentTesla
+ 11'340 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200709-3xy6hgj3bn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0e643a127fdcae3f0ada30f6448e0db52e1220b591da686d5b6895e5a26c1efa

AgentTesla

Executable exe 80f41a09d12356205262bb77b16daeaf2a284a89fd737b042149a4207f16c702

(this sample)

  
Dropped by
MD5 6146ab2e2854342da1d82704c5821515
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23501/
  
Dropped by
SHA256 0e643a127fdcae3f0ada30f6448e0db52e1220b591da686d5b6895e5a26c1efa

Comments