MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 915d85c1edf41968eef560a64f2f39b2ac391e23c82e5c60233b5eb37e29512b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	915d85c1edf41968eef560a64f2f39b2ac391e23c82e5c60233b5eb37e29512b
SHA3-384 hash:	4b36c07af57af2104cc0949ec4a96195d6987eff2c30ddd94ddfb14495d92160c0c6785e34c85070c8000c299f5a8bb6
SHA1 hash:	7c20e346734b35b4e6eea8a93c55df40a43655ad
MD5 hash:	1f7ee25b154a9dfe742a7be74ef3fa0c
humanhash:	timing-early-king-table
File name:	1f7ee25b154a9dfe742a7be74ef3fa0c.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	287'744 bytes
First seen:	2020-07-01 17:08:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:YtEpabqnFnq3zRsgVIRTjydCo1jL8m275HwEIU9yJGERos:xpabqnGigVIRTjydCo1jL8m2hwEM
Threatray	11'462 similar samples on MalwareBazaar
TLSH	C3543A8D2B98BD02F23D193285D6163453B1E4878B12C30F6FC44FFC6B697DA694A2D6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
terminal6.veeblehosting.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/17724/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/915d85c1edf41968eef560a64f2f39b2ac391e23c82e5c60233b5eb37e29512b/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-07-01 07:16:00 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sfoylqpn6qmwr3xvmcte6lzzwkwdshrdzaxfyybdhnplg7rjkevq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

469d5a8aa26b60c5f3234e2124fcda7a61b3accf4011373b32b49cff2cda745a

AgentTesla

76d60cec5d6006b89ad22fb2cfbfe6d50962092bfbca1507ed1e3f886ad63edd

AgentTesla

8529eb34cceb6ef63968606554a079f0be1b9c5c1ab760961d6213144f96a3bb

AgentTesla

924a88861bc8088ea5d9bd39765638b6376bcbe32930413ebb0dfb688554e0de

AgentTesla

9c1ec23b3bd8de007b86280d0ac67786d0c03f84dd596e826a21d29390aa99da

AgentTesla

a1ce7cfa033d31213c3ad2cac21b20f274f9aeb5b8f38af735297856b37c417e

AgentTesla

a25e8f53a69b01074187de880fcb4a2e8fba9b32d781957162fb8fef4fac85b1

AgentTesla

a2ac13524f4a08b0be3073d77ba45f26c7f24a4546087df052bd377958b2bb57

AgentTesla

b7f19729b194bac7f587a7cc19778e925a218fec8106b23466367b2847b99ea2

AgentTesla

+ 11'452 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200701-3t252yrtfe/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar