MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0e235eeab80ec69585271a662cfca4d0a8b7f89495fbb55a42758be1ebb7676. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0e235eeab80ec69585271a662cfca4d0a8b7f89495fbb55a42758be1ebb7676
SHA3-384 hash: c05b6b485bda8c754b2b044650333d7da4897d519156a080ca0eec5f65fbb8b36cd22c02f741ae06f196f23eb4a2cc96
SHA1 hash: ad2e76e05802bd123545f3c07dda0340a997138b
MD5 hash: 7fefb5c6ba25d72d26510e540a5f9251
humanhash: earth-winter-mobile-saturn
File name:PAYMENT TRANSFER CONFIRMATION - REF TTMIDLG00MT103.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:393'216 bytes
First seen:2020-05-13 06:11:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:/5wF6OuUfSyO7AmGyPqlU3P2JleZ/oN7S62FhGMLmgFslMLUf4zPbAW/KIw5eGLg:/yF6Ouy75yaU3P2bw/oNgGMCW/S4zPc8
Threatray 2'057 similar samples on MalwareBazaar
TLSH E084125464708BCFDA9A05343855E2990A216CB5E6C0FBCBBC6E7F2D98F8BC51C443A7
Reporter abuse_ch
Tags:AgentTesla BOA exe geo USA


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: jhctxpdmta02.jharkhandcomtax.gov.in
Sending IP: 112.133.209.148
From: BANK OF AMERICA <tribunal@jharkhandcomtax.gov.in>
Reply-To: info@apiholiday.live
Subject: PAYMENT TRANSFER CONFIRMATION - Ref: TTMIDLG00MT103.
Attachment: PAYMENT TRANSFER CONFIRMATION - REF TTMIDLG00MT103.arj (contains "PAYMENT TRANSFER CONFIRMATION - REF TTMIDLG00MT103.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Generic.mg.7fefb5c6ba25d72d.3963.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 06:37:11 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=udrdl3vlqdwgswcsogtgft6kjufiw74jjfp3wvnee5ml4hv3oz3a._file
Verdict:
malicious
Similar samples:
164e48e363fa5ab0f87e623500e1a9752deb0726e14d2dbfb8efb3fb242b0de4
AgentTesla
2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a
AgentTesla
3be9a39a38e9b29caca887de4c983aa2839004bc0fdbec8767fc6001c46fb250
AgentTesla
3e65f5a5983ed021643425c83b8ffc1f324402a3acd38bf6625658218a690fa0
AgentTesla
6b8c42512f9ded989af306acf3815e327bc85e0110dec5e6afe04900ff8d5429
AgentTesla
935e06731d9b88fcf33673ae11c9f9d184610aa64a6b7e1da89b1328a34e1b83
AgentTesla
b2dfba1ce7b2522089f2d409187d5661483e581e893f7fb6fa681b5dbebed71c
AgentTesla
cff33a8745ac625c5b182ba9ec05cc309ca77346b81f748c9a2738d8322ebf05
AgentTesla
d159b66f0376a6dc5026fd4a827e12c77af9bf91d69e1c2a4766bafb236f344b
AgentTesla
e102edf045b60201468f4f7910e3ed9d78bcfb0a1e0955bf14faa9ebb2deab8f
AgentTesla
+ 2'047 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-z16acb41aa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj 85dfe3a94382cd1665533c4fb79c0ff7ea6b1a327e2bb11238ceb5347e36a76f

AgentTesla

Executable exe a0e235eeab80ec69585271a662cfca4d0a8b7f89495fbb55a42758be1ebb7676

(this sample)

  
Dropped by
MD5 4f74124f95e1e9d05dffa1601e11603e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 85dfe3a94382cd1665533c4fb79c0ff7ea6b1a327e2bb11238ceb5347e36a76f

Comments