MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93a5402cb48bbdb12239e900a7f15376b5dc817a10a0bf1952d27d7762fb3a26. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93a5402cb48bbdb12239e900a7f15376b5dc817a10a0bf1952d27d7762fb3a26
SHA3-384 hash: 8b2247fcb7fa5bb740dc8fc48dd481f1390c81bfe4d37434ab34ff52e7ada899b63238fa1d4dd0a74732f7a6362152e0
SHA1 hash: 66552866a1836f936ebb5e5dd9a05011de6a81b9
MD5 hash: a7f3a42ab9df9f96984f7633a2fec293
humanhash: jersey-maine-mars-avocado
File name:a7f3a42ab9df9f96984f7633a2fec293.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:873'472 bytes
First seen:2020-06-20 13:00:09 UTC
Last seen:2020-06-20 13:41:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 23164e7da38dae74b67b0d8ba1348a44 (1 x AgentTesla)
ssdeep 12288:E7TUWxTHzsETCVqb8zeIOo4WEFYSXvdjjCW6+OwJy7FgV0ugJG8rHGUkz:E/juVqbueA4LCID6Tw87FgLUc
Threatray 11'299 similar samples on MalwareBazaar
TLSH 2C059E22A2A044F7D1321A7EBC1B63749829BD1029289947EBF4CF0E9F3B6513575ED3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
dutchlogs.us:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/12332/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.CryptInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-20 13:02:05 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sosualfuro63cirz5eakp4kto225zal2ccql6gks2j6xoyx3hita._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1c4b9a6e6e06ba66af9feefe1b1a585a48d242aef0034d0bcc78b7217e11dc7c
AgentTesla
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953
AgentTesla
7f8d72a4a54926d36622fed3a0dd9f4ba33da40755ed127ba16c18ca53eccd54
AgentTesla
9622729f9517d5a5eecd4a278ea564d750b17e300337a0f0e023c986bf0e537d
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
e13ff526ce3e9f7e3684d6f6e0bd9c34d8c50dd53ed82467e672c3f622e4446f
AgentTesla
e888883e6993ab7df3edd30eba22f6282c33324a21ffbed661c6478393e2296e
AgentTesla
f92996df2e909d06db8e0a3af572568fe0a321d1e09933fb7c50f7e6fc8ee976
AgentTesla
faa14b162487c010a973901cb7a91e48c512b0193fd449be475f94c32b0ff212
AgentTesla
+ 11'289 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-zkaanchsj2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 93a5402cb48bbdb12239e900a7f15376b5dc817a10a0bf1952d27d7762fb3a26

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/393749/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/12332/

Comments