MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8b6f4add873fd4bb6a6d559b89151aa85da4e17db3b26d6b8c5e35f1cdc811e7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8b6f4add873fd4bb6a6d559b89151aa85da4e17db3b26d6b8c5e35f1cdc811e7
SHA3-384 hash: 59d032e7b17351bf372dbdaa8d81c97b8e76911c2f3ae4d4b9437cd547bc71bb10e59be7bcea3f3bee63625cd8b0d57d
SHA1 hash: d2911c01a2667b55391f64f25f8ad0b9f59143b3
MD5 hash: b6521cbe6a026e31e99d74353359af8d
humanhash: one-uniform-illinois-uncle
File name:CUSTOMERS_FORM.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'000'448 bytes
First seen:2020-06-16 11:19:08 UTC
Last seen:2020-06-16 12:14:43 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:N9QjS7ev6VEt6vwN+2Ey7UdpLexpk9AJGMhU4H444l:3uCg6Nvty7UdIW9AJGMhU4H444l
Threatray 10'835 similar samples on MalwareBazaar
TLSH 1125C4243F816431D53DBD360795ABB1D2B3AD823901DF0F6D85379A6AB32CA7B07258
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ej-email.beyaz.net
Sending IP: 207.154.196.223
From: DHL Express <ihsan.gokcek@12m.com.tr>
Reply-To: customerservice@dhl.com
Subject: DHL Delivery e-Notification for Incorrect Address
Attachment: CUSTOMERS_FORM.IMG (contains "CUSTOMERS_FORM.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10929/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.17796.26138.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 11:21:04 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rnxuvxmhh7klw2tnkwnysfi2vbo2jyl5wozg224mly27dtoichtq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00654cb8a7ceb560cbb1b6ba1bb3828a78f7bf3fb0592d80086e9f922a0180d5
AgentTesla
05f08d66b6f118c60851b9b3a9f86eb9db05955af1bb2b6bbdd9b5308972b3b3
AgentTesla
0653767ae5080215ccf4d05fc78bf2c968568f847c4735279ac20f3b5ad303b4
AgentTesla
0a4ac915ba6f8c018081c160cd3bf260b2b96d9d4f9a0505398e2aff62b09318
AgentTesla
897a1305d267937baedeaf75e35e386efbb9c5d7d66819aaecfd885e84196142
AgentTesla
9426eff06a9e6de76b0168a39d457eebc368318ba1c468c8e6b04fe6f7b64b04
AgentTesla
969ae75e9c2c901449d7159bfef10d46da50e573f4c88ff94667661729a0f881
AgentTesla
9a4aa8d0acefa1f81a81440379ce5c4c76175c6a28d72ab61d372394646bab6b
AgentTesla
bc96a7521bd576710b531a2b2dd6d7f4b4a0854f6ef8285ec83e0515d27ff299
AgentTesla
e00c10de42f280a8a4cdb98618940bb9d767bc455154790ece3c265af6eaefb4
AgentTesla
+ 10'825 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/200624-tz56yd6nj6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img d6917435b59d53f76558df4c6a6a69120537bc2a9e15e1898e8fd2f26535e2bc

AgentTesla

Executable exe 8b6f4add873fd4bb6a6d559b89151aa85da4e17db3b26d6b8c5e35f1cdc811e7

(this sample)

  
Dropped by
MD5 366be58ec3628d2b13909008239cb3ad
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d6917435b59d53f76558df4c6a6a69120537bc2a9e15e1898e8fd2f26535e2bc
Cape
Cape
https://www.capesandbox.com/analysis/10929/

Comments