MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9be148a7dda520e13c81cdc99219724ca8be064a334f0efe88e2676046e057a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9be148a7dda520e13c81cdc99219724ca8be064a334f0efe88e2676046e057a8
SHA3-384 hash: 39a9007f7e2e4d3dd3aa0bfd8ef4719a110088eae35311aaf7efc7ffa3da0143d26b36096e683316489e8e4cbcc954bd
SHA1 hash: 48cd60cc95ba9cb673d62215915a96653fad275e
MD5 hash: b008e0ce11553cb34c6394d8aaf9d7a1
humanhash: connecticut-aspen-summer-don
File name:Scan_Document _copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:732'672 bytes
First seen:2020-05-28 04:22:55 UTC
Last seen:2020-05-28 04:40:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 14a86d600c59a07735f44434c52b41af (10 x AgentTesla, 2 x Loki, 2 x RemcosRAT)
ssdeep 12288:Jg8jof+rMCiLTwP+I3cUylgEe5tyZEA83GdaG51DsyNqnqt2wh+2Z4EPhwzTk:zE+r6QP+I3IgEgGEX2t1DnN2wh0EJwvk
Threatray 11'159 similar samples on MalwareBazaar
TLSH 3CF4AF22E2E04477C1631E3D9C1B5778982BBE5129286A4667F7DC4CEE397F1383A187
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 22:58:52 UTC
File Type:
PE (Exe)
Extracted files:
295
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
37b85443100f078008ce5313208784c66a7a3b73e199de6f4344787d6dfc5a0e
AgentTesla
60b66b4e182a7c2510e2abecd821a0cb30de3da1309e01ed36230cc9bc556cac
AgentTesla
99ebc0bf98a16152a009ceb9f57f5ffc55153422f23c80b34b7046cf21eec353
AgentTesla
a157c72338ab4df2b34d30ec8ab8f56669b28afa8d96b1343493d48917b5a113
AgentTesla
a2b2d55d5396e41e9e5c05caea792ee7ea5656ea034e8d71865011503a62afe9
AgentTesla
aa218adce0cc32486a75b6e5a2669c8b82afac444485f3d44bb168482276ad4e
AgentTesla
dc22c2145431a6ecc75ef2f7271120d8e102cef7faeac96d1d1d6ffb9b680ac4
AgentTesla
e856965f1981e48f4f077960c75f10c352ee8bc792776e69d4f83c3f99b9ad1c
AgentTesla
eb202130d25c28fe1651130652ab70014c7dd3ede102938c38ee1e7aa065ba53
AgentTesla
ee7bb1548fa55637eea3c95c32abe9d52bc0b51b560a1bc550d16e963d8606d0
AgentTesla
+ 11'149 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-sk5faw2766/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

d823e71eb41757bb5fdc0c078365036054c2b91c9f117e675b4958ad1917fc6b

AgentTesla

Executable exe 9be148a7dda520e13c81cdc99219724ca8be064a334f0efe88e2676046e057a8

(this sample)

  
Dropped by
MD5 391e8d3ef80343bc8e5f3179253b82a6
  
Dropped by
SHA256 d823e71eb41757bb5fdc0c078365036054c2b91c9f117e675b4958ad1917fc6b
  
Delivery method
Distributed via e-mail attachment

Comments