MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93f1fd2b51e5ebbf6660e3101fb808c9008cbbcaea8839551a4d8ff6ebced161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93f1fd2b51e5ebbf6660e3101fb808c9008cbbcaea8839551a4d8ff6ebced161
SHA3-384 hash: c7a54ee4540eba7b430ae276a4484e447f5dc4e380519eaf12f3760c035e82d6115ebbe4e473d277f3d5e7f4dc5b44ff
SHA1 hash: bcd56760a3b0bf6b60866bdf35fda7619ce1ef4a
MD5 hash: 7f67cb0ba007a2f68d1f48f0fcfee9b9
humanhash: glucose-moon-whiskey-robin
File name:09000000000000000000000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:809'472 bytes
First seen:2020-05-07 18:34:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:n60ixNlJHX+nOvFNUeKvTeAg3WZTr/eR:BG+nOvHUewTAr
Threatray 10'785 similar samples on MalwareBazaar
TLSH 6105172A7B81E804D83D0671D06959F05672BD83E921C70F6ACABF6C7E733C63B56249
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.elmasgrafik.com
Sending IP: 185.48.182.122
From: Mocayco <ventas@mocayco.com.mx>
Reply-To: ventas@mocayco.com.mx
Subject: Pago de facturas
Attachment: 09000000000000000000000.z (contains "09000000000000000000000.exe")

AgentTesla SMTP exfil server:
smtp.ionos.es:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-07 18:39:04 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=spy72k2r4xv36zta4mib7oaizeaizo6k5kedsvi2jwh7n26o2fqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16f501d2feae839294dd37a8e99239cb38206c41c0d40071cd94f74e49bd0c0b
AgentTesla
3374d3d11eef1e8fc48019fccac4fb5475ce8fec60c5e019c64662723fd5c1b3
AgentTesla
5cbdb2fe86bd4c99b0a4a5234067e82f5484aa2cf6ea159894a4f9b05ab730a1
AgentTesla
65ba1403578ca11aedad856e85f17647e3d636a6556ae0a8202336505e244c24
AgentTesla
82052d2d1596128ae63d047a1e239b44961a763bf3ecb0ce831483db2199bb57
AgentTesla
a7a00a584be58feee717bb432242d8df5c26cc8d8b7ca0ed7ce53ef0f42b61f1
AgentTesla
c59a459f5eb1b870adcca4d628a92d1ddf207528dae3d1942809cf798a07868f
AgentTesla
d801d7b446d8b77042cce4bdff252df71ba4a346e744253679889d3a0d268726
AgentTesla
fc714509dc4c3d6f3e13028be7be8207b2377331266c8ce213c575e511f8d31f
AgentTesla
fda9cdc6d189a4f40199d09a2cd49522189e9494d6a7a3dc0d5bdd5faddb355a
AgentTesla
+ 10'775 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-6tjfd21vqn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 807800ab71f12a7a3b4a3a5c145ced623f902472544ce12c4a475e5765ff4a99

AgentTesla

Executable exe 93f1fd2b51e5ebbf6660e3101fb808c9008cbbcaea8839551a4d8ff6ebced161

(this sample)

  
Dropped by
MD5 1c4b142668088b592c2214cb5a9cbde8
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 807800ab71f12a7a3b4a3a5c145ced623f902472544ce12c4a475e5765ff4a99

Comments