MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a0dfa424d15f228b79cf8e773937af51dbf53251168b44afa554fd62db25f85. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a0dfa424d15f228b79cf8e773937af51dbf53251168b44afa554fd62db25f85
SHA3-384 hash: b838356dcda660f81b8dc7d16e95b81d7836ad894775f33d391861a76e2e5c7ba73aefb068ea3990234d40f1a3c829b7
SHA1 hash: 6e78062da1b1f8801cbcbc5c2a17d6a18dc99791
MD5 hash: 9d355f5d51632dc72e23d6251db0a83f
humanhash: rugby-hawaii-georgia-kitten
File name:enquiry.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:621'056 bytes
First seen:2020-06-22 08:01:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'604 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:qh2aoroSqyZKvSk9aj6OspRZgKUuCtwDT4m5RyNmP1dpgE9fc:qVoBXASk9aj8JUuCtOGmtAif
Threatray 10'719 similar samples on MalwareBazaar
TLSH E5D4193E3B85B905D23D0A7240EA55D07371E2873A02CB0F6ACA979C6F157DB7B852C9
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: fezecosa.com
Sending IP: 156.96.62.208
From: EHSAN || FEZECOSA <ehsan@fezecosa.com>
Subject: FEZ-ENQ-01549-ITC/ RFQ
Attachment: enquiry.pdf.uue (contains "enquiry.pdf.exe")

AgentTesla SMTP exfil server:
mail.bestinjectionmachines.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12489/
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a0dfa424d15f228b79cf8e773937af51dbf53251168b44afa554fd62db25f85/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 04:36:59 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rig7uqsncxzcrn447dtxhe326uo36uzfcfulisx2kvh5mlnsl6cq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1adb1e77313a4404c1133c255cece52584f329eeb223d6567beb97d9754125ce
AgentTesla
1eebe4346f9ef87b9be5bae1875e17097501a28a201e2cf500df658a3727b47b
AgentTesla
41eacb31f32da496ed3d78e3b90797bea286f56808a09ab339846ee3aa18b643
AgentTesla
602539024550629c94790807ab0f6b99379a53767b14375963e64b71a2185408
AgentTesla
ab79b2c6cca235d1b6a2bfdc550a15497c03d193d622feaa2e48c3006ef7c0b8
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
c8a3fed3476b3f28b4d158607b92c132d395a86ca2375a64b9d3f0b617bdff7d
AgentTesla
d0be07347ce319cbce0fa252c4a030834dafe118c2ea50a6e05951ecf06b20da
AgentTesla
ef7a8f1478e57d2dedf96a00501903b7b5a571680286502f2f329ed2c8728b2b
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'709 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-6pr16ccea6/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Reads data files stored by FTP clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

46338352b99d54e854c9b6f22b30f0f5

AgentTesla

Executable exe 8a0dfa424d15f228b79cf8e773937af51dbf53251168b44afa554fd62db25f85

(this sample)

  
Dropped by
MD5 46338352b99d54e854c9b6f22b30f0f5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12489/

Comments