MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fed5314906b5873cd970313215aeb2714819bb965dc4bb7648154f1dddb6680. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9fed5314906b5873cd970313215aeb2714819bb965dc4bb7648154f1dddb6680
SHA3-384 hash: 96110acc1db664cdec62142f6ef6a9abfdd0f55b4f851d19f00a77825e54152fe4594c9315ca846bea59c0296e1b4a41
SHA1 hash: c964272ba2445ca7df4bf371ff2d0774e40f52b5
MD5 hash: 966e9356e8434266b7e4b3fc78045201
humanhash: uncle-yellow-west-nuts
File name:NEW ORDER ITEM.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:501'760 bytes
First seen:2020-05-11 14:06:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'598 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:CbMqN9OX3hQypAYXRMk50vQEVJhlEDCFX+9SWgIHhByplqnMydmNAcraZPs3:C7TQ3hQypA4O5PEDCd+v7HbmqnVdmNV
Threatray 10'613 similar samples on MalwareBazaar
TLSH 8EB4BE4023AD6B35F13A9BF458A0A051C7B6752775B9E36E4EC120CA0AE6F81CD41F77
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.ence.marketing
Sending IP: 62.138.11.76
From: Alikambar Navab Hasan <alikambar@algurgoman.com>
Reply-To: serhaitoguz34@gmail.com
Subject: RE: REQUEST FOR QUOTATION GURG CO. L.L.C
Attachment: NEW ORDER ITEM.zip (contains "NEW ORDER ITEM.exe")

AgentTesla SMTP exfil server:
mail.orientalkuwait.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-11 09:00:00 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t7wvgfeqnnmhhtmxamjscwxle4kidg5zmxoexn3eqfkpdxo3m2aa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
010376ca31e9211822e78b07de7e3b5dd524cc359ab8e479b8f5435f81c8398b
AgentTesla
29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1
AgentTesla
2acce03be9204acbcc6fc59fa5bebc3720d91a9d7daa122c0ea086c4727fafce
AgentTesla
2e2d653168e43020a1e1d0d9d064d1331057969616b60e4672ef51625c3bb5fb
AgentTesla
3738fc108c0b735d09b548a5b53e6f851d25c1a04058d965285224980372b5fc
AgentTesla
5230cda14200f44ae86150bf46d875dacdac03db38a60c254451e5aaf0d1dbe5
AgentTesla
5625e5bd375d6e8a6584b960c3e152623ad56531937c26d38132253dce03311f
AgentTesla
885d26250bb716a2f7525fe7785d2bd191b8943ac9a393411339542fa87d1d38
AgentTesla
cc755c59e27a7d6396e421c7e8365d250d615c10db82b3cf382323289f915e16
AgentTesla
f1d7247c8ffbddee868cba452966a10f19c0191f945759589134f1e2f67599c9
AgentTesla
+ 10'603 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-szcdveecnj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip bab21d1486af54dbb750085fa4fdd9b6ff173e587ca066ce773db2271ed2366c

AgentTesla

Executable exe 9fed5314906b5873cd970313215aeb2714819bb965dc4bb7648154f1dddb6680

(this sample)

  
Dropped by
MD5 9ae5e53fa188d4d40c48a7d9dd8f92c4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bab21d1486af54dbb750085fa4fdd9b6ff173e587ca066ce773db2271ed2366c

Comments