MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9f86e4c1e6b8dd93f705c769d056d73f0f7b28f92b3925ba9a9aee9d3505c5e2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9f86e4c1e6b8dd93f705c769d056d73f0f7b28f92b3925ba9a9aee9d3505c5e2
SHA3-384 hash: ff3845c31a6748a5cc8ddd1c487d41126605497c98a447d9059ba36d0f14897619701642d7c0092c657cd8775a0d6723
SHA1 hash: 7619e89a81c9e3e0aeefd3ca3083075212c0e8af
MD5 hash: ebf88c8098381c956709dabbccda81b6
humanhash: connecticut-delta-cola-indigo
File name:080999090000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:534'528 bytes
First seen:2020-05-11 15:17:49 UTC
Last seen:2020-05-11 16:10:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'653 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:Y9g5pZFHJJL7XJAnY7hv5DkbRAR/t63rD3x/7JF1vfb84:YgPJHX+nOZB8Rs/07/7Xb
Threatray 10'815 similar samples on MalwareBazaar
TLSH B8B4CF372A82040EC59C42F2846A69E665771ECE3E19AEDF609FA32C1FC370B675215D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: lin.eksibilgisayar.com
Sending IP: 93.186.115.77
From: sales@lohuislighting.ae
Subject: Invoice
Attachment: 080999090000.z (contains "080999090000.exe")

AgentTesla SMTP exfil server:
mail.paracaballerosvip.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generik.NFXWHHX.4725.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agenttesla
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 15:37:17 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t6dojqpgxdozh5yfy5u5avwxh4hxwkhzfm4slou2tlxj2nifyxra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01bc78a6f3181017aa8777831c018ab764d19a01dcc20d0dc7337954d31e2f59
AgentTesla
2391c9beb21916a6b7f18cd2dadf9f9c19a060b75791f6052e65a683161d7a60
AgentTesla
352d83b11ba5ad7e9ef3e81a0ad38fcaad0a617fc55dace88363272e2b479714
AgentTesla
640e087a78aa77a9bb49027500f1f29f9d31f5b64c13c99b690ea813d0737fd4
AgentTesla
89feb325f92eae1898daa092e50d605ef2f20664b49cfbb596c2534e7726ca07
AgentTesla
bab8aa286b30d5d413e87d60055b0be118695e740cafaed71754d8eb590a4776
AgentTesla
d2b81427fe1f056fcb3678852c1f56cb4dc21fe8c3cc7dc9f83cb77144284164
AgentTesla
f33188a4e793d7f27b2c649730162700bda0259988ee59262ca2be5a87527f83
AgentTesla
f95cc62c0992c9c2941bce9cac522e24e870a98b712a4823e891c665fa5350b1
AgentTesla
fbc8a4a7c795fa996462ad57db81b1b8c06e95cd9f6a6c0564c749682cdd6692
AgentTesla
+ 10'805 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-1wapk38ree/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c7191c1b3f360b761cd4877a0433de68

AgentTesla

Executable exe 9f86e4c1e6b8dd93f705c769d056d73f0f7b28f92b3925ba9a9aee9d3505c5e2

(this sample)

  
Dropped by
MD5 c7191c1b3f360b761cd4877a0433de68
  
Delivery method
Distributed via e-mail attachment

Comments