MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 837724016920b7d950caf8f43afbdfd5ac3dec79b6321849d9f22baa3371f6c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	837724016920b7d950caf8f43afbdfd5ac3dec79b6321849d9f22baa3371f6c2
SHA3-384 hash:	e601bb9522016b98218586cbea5fab244d6ce44f17d66bda5cbc8b8c1fa4c92ad553cb8e8364cbcbc0160e39f3db015b
SHA1 hash:	dfb5bd9c5f2832b8e7e82a46fa5873fafc05f9cf
MD5 hash:	1942eb720c2f2cfcf5665d978e7a6d74
humanhash:	winner-high-speaker-tennis
File name:	1942eb720c2f2cfcf5665d978e7a6d74.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	764'928 bytes
First seen:	2020-05-18 07:15:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:8455mHhlltIEXQDvWJsmgKloXuJ5/J41N13i566tFg:xmb3v3smBKXurANVag
Threatray	10'646 similar samples on MalwareBazaar
TLSH	10F401BC757C2F67C83D0AF46860959403F2E1A26C1AF6DC8FE170DA0AD27C127566A7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
smtp.jlumberg-ss.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-05-16 05:13:45 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qn3sialjec35sugk7d2dv6672wwd33dzwyzbqsoz6iv2um3r63ba._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

157a44ec9e957fb3b5732e4e3daee44c36253f01b40c03083b8ef77f53b4770e

AgentTesla

23d9487f480403a4441c00198ae2b8598b5f293ceff6f6b3d97e2d82a438ce9a

AgentTesla

399a8e11367c80009a8cd861c379e0f4d6feff8544fecf51705a474edb3b624e

AgentTesla

8a9bcb387cd155170986cd1938beb317ee1ee511bcb6175a6d292bd976cca15b

AgentTesla

abf941273866ba3ff5790c18f55e776554f75f846f1878b98c1e98ad25e94b9e

AgentTesla

b63a3d59a9a406dbbf194da0ad4838fa867081dbd02b5fb2a8ec29fee3247d48

AgentTesla

c0c639e1f923a3dd8e88f2ee1b6a397db9f62c5688f6e04181f43f8b950e8914

AgentTesla

d1863b802d34e0fce4629d1df6fecd8b7918cd43047e65ed61dc770816fe275d

AgentTesla

deb93179e8d2099caf3821f0939076e995f8a42b991e2d5add756ea6bd7cafd0

AgentTesla

+ 10'636 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-hk6jvyyj5s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

CoreEntity .NET Packer

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample