MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e1eb0470f3d916a2f5d92b6cd45bb504284c2e53f26d443a5c54ad1252c4d1d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e1eb0470f3d916a2f5d92b6cd45bb504284c2e53f26d443a5c54ad1252c4d1d
SHA3-384 hash: 564bb2604691d72ee1291d60a7aa57f37022d8d15334372551aa6318fb297392430c7afd92c07379b434a3c76041654a
SHA1 hash: 70bcbdd1f7404fc77e4a621786f7974bec8a5b50
MD5 hash: c59e6f3c0b7c6404f15dcf10544721f3
humanhash: sad-double-kansas-ohio
File name:14bvf0hk.3ps.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:880'128 bytes
First seen:2020-06-12 06:50:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:7Stx9mbkp8JhqlKSLq7wfu+8EZRc9uJpK1LbB7WdtlEksz:eT4Ap8fQsiUE49IMbB7WdtlDsz
Threatray 60 similar samples on MalwareBazaar
TLSH 581527D2F54046EBFD3ACFB45B373A2105E37DED9CA4595CD498F68206E234220BA94B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: whale.dnsracks.com
Sending IP: 69.175.99.245
From: Edwardo<halilcecen@kendigelen.av.tr>
Subject: Purchase Order HYTGFBFD
Attachment: Purchase Order HYTGFBFD.iso (contains "14bvf0hk.3ps.exe")

AgentTesla SMTP exfil server:
mail.impressindia.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9116/
Detection(s):
SecuriteInfo.com.Artemis.15794.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-12 06:52:16 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=typlaryphwiwul25sk3m2rn3kbbijqxfh4tniq5fyvfncjjmjuoq._file
Verdict:
malicious
Similar samples:
0fca6f4fa44279707d8baca71d47f79687c62f528d0e872dc27c393e15567904
AgentTesla
15c86f03a9ef0aa9720a510fd21972a675d15c40ad3efbf52ff2e5cc9bb86c57
AgentTesla
58691961ce7be790966ab5f9b3e9e9740af77b78a36209c8bcd6c229bb1563bf
AgentTesla
5b775ccff09e5e183a237343bbc0b6057af38838c0781d7927ac5aa686d2e56b
AgentTesla
7c3289cdc59a8cf32feac66069d09c48a930d4665f740968521adaf870172644
AgentTesla
7fab681c57b3f8918c974e5a436b72f9a963ae8b4d4ab5592ceb17cdb57f14f9
AgentTesla
8b821e88c568d00613f802e79eda4c77913a09c7760dcfdd80e8886b0a8bd8f1
AgentTesla
e0df0fba55e01353a9b0adf985e2cc625ba6741d0375e872ea012f99e5dc1f1b
AgentTesla
ec8d87e7db1c4f69358cdd9de92c9f8d4077dc7b61b4ccb834bf2fe129279289
AgentTesla
ffd1bee2a8fd62e3d445c7ceecebe9f615edcfaae2c4743e765e89a1570b51ad
AgentTesla
+ 50 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-c77ha2c1m2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso a31e492abe15644cd6e0c87e9a65985f2fa833faedd39ad27d7ec0dd63b9fc46

AgentTesla

Executable exe 9e1eb0470f3d916a2f5d92b6cd45bb504284c2e53f26d443a5c54ad1252c4d1d

(this sample)

  
Dropped by
MD5 ea82f926176da792c3b6df9192fe8990
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a31e492abe15644cd6e0c87e9a65985f2fa833faedd39ad27d7ec0dd63b9fc46
Cape
Cape
https://www.capesandbox.com/analysis/9116/

Comments