MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a07ee811211a675d2b1b29783d278f340029b69306778547d69fa73f16b1b115. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a07ee811211a675d2b1b29783d278f340029b69306778547d69fa73f16b1b115
SHA3-384 hash: 31ca796a43c5ee5b33415e0acc7a009fcb8ca8d45225f41ba1d722b4405a94fec796158405ede8315a91cea9b546d11e
SHA1 hash: 47ced4dcfaed4f93b9a9caf0c8c1d480ea5ea4b5
MD5 hash: 35b13d68a05705ea7874b2da7dab7f64
humanhash: chicken-saturn-salami-spring
File name:35b13d68a05705ea7874b2da7dab7f64.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:519'680 bytes
First seen:2020-06-11 13:54:14 UTC
Last seen:2020-06-11 15:31:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:r8iFiv68+62kzUmZaKtZMo+EtYj9uoRWufn8wGrZ4qgV+th6kqjlYqDOJcBCs:wisv68+qZaKtC3n3pGtFiCh6kqjlY3
Threatray 12'277 similar samples on MalwareBazaar
TLSH 11B4BF893650B69FC85BCD76C9982C24AB6064B7632BC347A44712EDAE0D7D7CF052E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/9030/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.331.21210.737.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 07:59:02 UTC
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ub7oqejbdjtv2ky3ff4d2j4pgqactnutaz3ykr6wt6tt6fvrwekq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
49d77c8caa4d87fa662a587b32f6b138c7eb8b7a4b0ef369af695bb231c2aa4e
AgentTesla
797bca58afc236dc09c24c62d8faea37d2fe7817133138ade685d351130c756a
AgentTesla
7f2a8610931a1f5ff9793dcb854ca01aaa6410fb5b4dc287753c558f1b60eee1
AgentTesla
af57927aac1c53cbb2fa38eceeb02f2739a44433f9dd0328e22e69da3239cf39
AgentTesla
ba570d5e847509c2b56f4bd5dfb21115e1e9516481c2a89859c2f682786a0eae
AgentTesla
bcaa63ef1ed52c23a1a502fb74841dc79dfaa928e9367f22ba4412c0f0aff90e
AgentTesla
c5e0aca5108536d030a5ca781ae1610f8868d67082e35bf3ba3123f333dd27a3
AgentTesla
ce5a82d9e4d14e5511170ff4bb06aeaa49a937c39a6770a8e9b38d589b8339f6
AgentTesla
cf13202e5434ed24d8aa3c5c726735a4b3937269f44963bd6476467b63ab8a5e
AgentTesla
dedf36514df689bf45199f4637020acf6f800ccdca2f8558b96973ed6298b72b
AgentTesla
+ 12'267 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-xmxsvfwws2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a07ee811211a675d2b1b29783d278f340029b69306778547d69fa73f16b1b115

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/386641/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/9030/

Comments