MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 813be611f8fa33a83290e6c2bc9aa8bd508ebbcaaea18ebf969374c516df511b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	813be611f8fa33a83290e6c2bc9aa8bd508ebbcaaea18ebf969374c516df511b
SHA3-384 hash:	8237d25715328e7bcb25b3776fb627fceee29e9077e202863e054360b90f3a23c10285753a9d9f6190587fd9a2d37d55
SHA1 hash:	2ad76e314e3c1bc03e096ea85e5650fea0ca08f3
MD5 hash:	79d846d9bb93dd0626c60af716dd3511
humanhash:	steak-quebec-monkey-earth
File name:	Ovvbx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	442'880 bytes
First seen:	2020-05-28 11:49:48 UTC
Last seen:	2020-05-28 12:58:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	3fdda323bee64f21b3c9b4bf8c21fe43 (1 x AgentTesla)
ssdeep	12288:Pja59MgwvWIXtsGWBNuksqjxRjWI/ypP9mMnZj1w:by3IXmzvsAqV1XnZ
Threatray	11'054 similar samples on MalwareBazaar
TLSH	DC94234BEF043C9AD118097F69174CA01B7CB423789C9F8B964ADF5EFA369E77891012
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: resqmta-po-07v.sys.comcast.net
Sending IP: 96.114.154.166
From: Hussain Ageel Naseer <ageel@boostict.com>
Subject: Request for Supply Clarification
Attachment: Maldives_TheschelPvtLtd2020Request.docm

AgentTesla payload URL:
http://ourhajn.me/mework/Ovvbx.exe

AgentTesla SMTP exfil server:
mail.bradmagroup.com.qa:587

Intelligence

File Origin

# of uploads :

2

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Gathering data

Threat name:

Win32.Trojan.Injector

Status:

Malicious

First seen:

2020-05-28 12:50:37 UTC

File Type:

PE (Exe)

Extracted files:

459

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

Similar samples:

0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb

3648e21e80655e2b860743f4d3c113d019b579230ebf579fbe8f49316e3e8427

50f2b41bb5e2dead969345319a9617715492e979937f0b11264f927cd007f903

7607102eead4fb3d71ed2c2b492eb4828d5c544576102aaa94d29debce0f211d

86e5796ae957a22f0b55caae1fee9af102cea6e31fca38e4334a50f0b5e57971

9463f129f4dec7224eb12c262e080ffa58c104bde38104319ab69d2fdb8919ee

958e52e128e89d913dee2664ffd39951e693da9401e711d53510f7246f552795

b9ec899a1cb59794313ed0db3e338dbc43970785be52cf756b0d33588c0064d8

ee7d22a474155d5a7b3e6fd89bee93170b4da713db4b65ad6252ef6a73636598

f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d

+ 11'044 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-a21ekwhpge/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

docm 958e52e128e89d913dee2664ffd39951e693da9401e711d53510f7246f552795

exe 813be611f8fa33a83290e6c2bc9aa8bd508ebbcaaea18ebf969374c516df511b

(this sample)

URLhaus

https://urlhaus.abuse.ch/url/371000/

Dropped by

MD5 7feb7595e5229b5cc860a1ffc7e12e58

Dropped by

SHA256 958e52e128e89d913dee2664ffd39951e693da9401e711d53510f7246f552795

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample