MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8ee12529c5e5e47ab9c291af49e47c41483f67ac4e9054aa7697e58fa625165f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	8ee12529c5e5e47ab9c291af49e47c41483f67ac4e9054aa7697e58fa625165f
SHA3-384 hash:	5435cb2d4eab0d17e301bc15d0aa6214a3eda950fc0767262b8af4de4a011ece311f376281083429500fa796cd6a8d7b
SHA1 hash:	93e3a1aa4bbcade3d23b9dbca79080e7f597f352
MD5 hash:	44f76cda017eea796aa16a68cde848ca
humanhash:	texas-stream-nineteen-failed
File name:	Purchase Order.xlsx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	2'073'600 bytes
First seen:	2020-06-23 13:35:37 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	49152:UhRoc0TtqGysDntQ/3Opa8QjRvY6Lg3n36h:g0TYGysxQ/+pa8QjRvkY
Threatray	11'207 similar samples on MalwareBazaar
TLSH	D4A533250594443CC725E2F976A0015016F769EBECBBE74A4FBCBC6B5B4B2D88886FC4
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/13006/

Detection(s):

SecuriteInfo.com.Generic.mg.08dca873988dcf0c.7936.UNOFFICIAL

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8ee12529c5e5e47ab9c291af49e47c41483f67ac4e9054aa7697e58fa625165f/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-23 13:34:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 31 (83.87%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r3qskkof4xshvoocsgxutzd4ifed6z5mj2ifjktws7sy7jrfczpq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

246c477d796aabc41946276b9fa8c4201716c2f2aad6d2ec2c26075898b7396d

AgentTesla

513e797eab500315caf66ea8f8fd8ad7aa879368533eff217af06cfdec1c04d6

AgentTesla

51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6

AgentTesla

5dcc9c1e15ffe2b5443d07490a733e9167ef47fed99cc3d494bf7674e9e472d0

AgentTesla

5f409bddf5b4efe31ec833332774381385c1a31e3e2d8e5e3b2d2f934be0a5a7

AgentTesla

826f7d92ad363ef5588a9d983b76899cd45279c201e2af459a38ef034527bf06

AgentTesla

955ac7517239af374296cd9fa5448c42f619097c8dd7477d3039d6f028155cb5

AgentTesla

9d61fc57f815de45a42877d6dec45d7483badedc2de5022c8a2f37c6d3f1e281

AgentTesla

f0b3f2e5bfee0f37c39392331af6a27a89e03a077d9e8084f6c0a5ffb843b27d

AgentTesla

+ 11'197 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence keylogger trojan stealer spyware family:agenttesla evasion

Link:

https://tria.ge/reports/200624-xbe49yy8yn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Modifies registry key

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Modifies service

Adds Run entry to start application

Reads data files stored by FTP clients

Drops startup file

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Drops file in Drivers directory

Disables Task Manager via registry modification

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/13006/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample