MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9078f24603c107de0a603985cdc97c1dbf9af3cf4571c78a030c41e825ddd7d8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9078f24603c107de0a603985cdc97c1dbf9af3cf4571c78a030c41e825ddd7d8
SHA3-384 hash: 889e994bb2b0068c3cffa18470d854b55d89002219cf07e7c37cdc948eb57c221453a1beebdfb4b4b86ae6676b7f432c
SHA1 hash: ef594319b74dfbe67150c800721799ab2ca35e5f
MD5 hash: 917ce97a057dd8fbbb9aebaeb4d01832
humanhash: five-princess-hydrogen-fruit
File name:[DOC#2020] - Attached products list.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:748'544 bytes
First seen:2020-06-02 08:32:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:tOcFxZon9YrkbB9PZaSJn0mr6Fe1P66YC51Go1flKpctPJZBCTGVABKU2J:t5C+o7sSphr0e1gC1tlWC
Threatray 10'633 similar samples on MalwareBazaar
TLSH DBF4CF89B640B2DECC52E3355F36CC745B227C7E6636510E50EB3D5B3BBE9838929062
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: tunjimea.com
Sending IP: 138.197.219.174
From: JLC Sourcing - Front Office <uonsu@ceceliansanders.us>
Subject: JLC Sourcing Services Ltd - Products Inquiry / (Request for quotation)
Attachment: DOC2020 - Attached products list.z (contains "[DOC#2020] - Attached products list.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 07:35:59 UTC
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sb4perqdyed54ctahgc43sl4dw7zv46pivy4pcqdbra6qjo527ma._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
1b4edda8f293ac8fba3e2bc1bf84406f61213e1f91f369f344cfcf755867ec6e
AgentTesla
2c0f1d7345f723c437ba09cc6b7b5b451e241c9ed8f35e09679dd6caba835c6a
AgentTesla
4421f642dd9caf0803c0be41afd29115599f419b34c1b5c8c054324212803752
AgentTesla
6824c4afb5e56e0c2b3e0b89a4acde70bcc2bd792334a6600225e623162ae621
AgentTesla
71ade4a829fd6ad92da63b1551d6e2cd15622ae6858b89f20e51dfa62f77b176
AgentTesla
94fcc8c7fd53c5463c0d33d1f74b5c7c8c0ae95ef097477958acb9df1ae5a15e
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
ee7bb1548fa55637eea3c95c32abe9d52bc0b51b560a1bc550d16e963d8606d0
AgentTesla
+ 10'623 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-zwtj2ycj2n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z f8233c229f74de0978f3cbfaededec3b7df59005561f013aab1f6e5d618931c3

AgentTesla

Executable exe 9078f24603c107de0a603985cdc97c1dbf9af3cf4571c78a030c41e825ddd7d8

(this sample)

  
Dropped by
MD5 32989911e9e1d20abe834762890ee60d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f8233c229f74de0978f3cbfaededec3b7df59005561f013aab1f6e5d618931c3

Comments