MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 82e8330769ac002b017766ad3d35ac1b1f18e92bc9410e063a4ca377b10de7a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 82e8330769ac002b017766ad3d35ac1b1f18e92bc9410e063a4ca377b10de7a4
SHA3-384 hash: 9d3e1576df036db6aa201dda6adfaabbf8bb3caf6ee02535dd37ac3d3183ea338cd272de3f94aef307ee588d74b1fb94
SHA1 hash: a2c3fac836b2447b510d67beed0f551d25cb6a8a
MD5 hash: 9cca0212ed7aa614a3aa933124931b89
humanhash: pizza-alanine-finch-high
File name:Ordine 520 del 10.06.2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:510'464 bytes
First seen:2020-06-10 15:42:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SlqZCg3dt6ZZt924ZfgKuGMOiB6d41Lkrv7W4+cuykf44:jCg3d+tY4JiOnd45kc
Threatray 11'171 similar samples on MalwareBazaar
TLSH 82B4BE8D3650B6DFC82BCC7289A82C24AB60B5675727D347945312ED9E0DBE7CF142E2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: santomera2.vhost.interdominios.com
Sending IP: 89.248.96.127
From: Natalia Domnichenko - East Europe Department - A-Export srl <natalia.domnlchenko@a-export.it>
Subject: Ordine 520 del 10.06.2020
Attachment: Ordine 520 del 10.06.2020.iso (contains "Ordine 520 del 10.06.2020.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WGM.13904.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 15:44:09 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qludgb3jvqacwalxm2wt2nnmdmprr2jlzfaq4br2jsrxpmin46sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
119d234e1f826adac6d68a614251fb9d1a20a4368102068ea030731372546f3c
AgentTesla
17c7aa7df0ffa47ac142bcf82edb465eedabcc7a307e8726eb12c92698302e16
AgentTesla
1cfd5099c6a8bf03aea60b09f4e7b829eadfcc1c0cc55f2c8bfbae01c03e56e2
AgentTesla
28deaed164db10fb90a1a27c2a92592f80a05d08ae9961ab409d381a5e7c0f34
AgentTesla
4291277336e3c27f2cc05278635f7724fa2ff4af06a547ca5a04ac91c3d71fa0
AgentTesla
940319fc3b9389a58d0684a38e921b2283f06cd7c5f96e357428008ecfbd427e
AgentTesla
9cecd56c5d9b1ea083ef837edb999f89f1cc620c5923b81d33ddcbb857199018
AgentTesla
a1438fd2ecd8a17372fde0f4920d510bce698eeb2eec5d29d67fbc15523d2e1d
AgentTesla
bcaa63ef1ed52c23a1a502fb74841dc79dfaa928e9367f22ba4412c0f0aff90e
AgentTesla
d0be07347ce319cbce0fa252c4a030834dafe118c2ea50a6e05951ecf06b20da
AgentTesla
+ 11'161 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-mwnpwvxdtx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 18567122e2aed51ed2fdfd1f87fc2dd791e8d2cfe233d70f0752d4bb21e9bffb

AgentTesla

Executable exe 82e8330769ac002b017766ad3d35ac1b1f18e92bc9410e063a4ca377b10de7a4

(this sample)

  
Dropped by
MD5 95d2ef48e1cfc6dee490323f4e73971d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 18567122e2aed51ed2fdfd1f87fc2dd791e8d2cfe233d70f0752d4bb21e9bffb

Comments