MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9910df1ac6284683a19c1fe576367e0b4174dfa65846cce6d0b3a1663bd368b6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9910df1ac6284683a19c1fe576367e0b4174dfa65846cce6d0b3a1663bd368b6
SHA3-384 hash: 7580716d74e0b200dd7bd7ce82f9628ef70669fc0f59206d0dad01663a24d2cf24c593c0e7782b8d146980800f92ca21
SHA1 hash: 192b71c52294acf8733763dbe44d1ef4f64d2c2e
MD5 hash: 52b1fe676c3be20d86c3ad37a36c4646
humanhash: island-west-leopard-montana
File name:Halkbank.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:529'408 bytes
First seen:2020-06-10 09:56:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'611 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Eqtv68+6Cl5TbkOWlaTqn0gdpk7eoZuMrNb3Uelj2gx:Eqtv68+lfTZWsqn0gd6eoZu6NY
Threatray 12'212 similar samples on MalwareBazaar
TLSH F7B4CF893290B6DFC82BC8768DA91C60AB60A4B75317D247A44712ED9E0D7E7CF046F7
Reporter abuse_ch
Tags:AgentTesla exe geo Halkbank TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: halkbank.com.tr
Sending IP: 45.11.19.224
From: T. HALK BANKASI<EKSTRE@halkbank.com.tr>
Reply-To: T. HALK BANKASI<EKSTRE@halkbank.com.tr>
Subject: T.HALK BANKASI A.S. 10.06.2020 Hesap Ekstresi
Attachment: Halkbank.zip (contains "Halkbank.exe")

AgentTesla SMTP exfil server:
mail.bunsadokum.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 09:58:06 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tein6gwgfbdihim4d7sxmnt6bnaxjx5glbdmzzwqwoqwmo6tnc3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4106d7796887912eef46c78f6f62593d12152ae114e6e67c004afcaddb4296f5
AgentTesla
4a5ba37101ef029435b69fe77e8af8924e4714c66a32390f83a5546025f42200
AgentTesla
647ed4118aa8015f145cab92b15b53dee0dd928f7b3493d138696a5e28a201ce
AgentTesla
69fd68e42bf6c97d7d97134c248ced79cd81fe6b58873b3d31558bf4d875a097
AgentTesla
7d16317ca81889aab8d6d82440ab0fb2375d4ef7747f2b1d77936fd79141ba77
AgentTesla
8a1996e7954954071c7744530ef5a31a93ee9ff5cce447611f622f88718ab1b4
AgentTesla
b12752a638275e30869b256d2a7b0d6576e7eaa4b8f062d1e1e530a1a23d0736
AgentTesla
bcaa63ef1ed52c23a1a502fb74841dc79dfaa928e9367f22ba4412c0f0aff90e
AgentTesla
c4a07dc8bc6223598106bdc7ad462c050f7da18c2756fccc8c56d14b1c2bd04c
AgentTesla
df2bbdd833be8896f46c8660acfc9da2711f2a75d8338240b781fc6ee3964f9e
AgentTesla
+ 12'202 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-7k8l531y5n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1c3e0f1de0cb67e9334020d2d89dcf3020179db5f4b1366dd62f1e413b22408c

AgentTesla

Executable exe 9910df1ac6284683a19c1fe576367e0b4174dfa65846cce6d0b3a1663bd368b6

(this sample)

  
Dropped by
MD5 a52b2ee080bd2fdf168dc10ae9e7e3ba
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1c3e0f1de0cb67e9334020d2d89dcf3020179db5f4b1366dd62f1e413b22408c

Comments