MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a3b4f9b425bfb0ac4ea5c7007f880658910320c95312766d59ffa6d44a658926. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a3b4f9b425bfb0ac4ea5c7007f880658910320c95312766d59ffa6d44a658926
SHA3-384 hash: 73f46f2abbf1262a7ec697182d0b15ac754d0a706973c865241fd21750d8c67335a514029f69681862c08090d9ebc634
SHA1 hash: d5541637468c620e21263ff182d82b426ef20158
MD5 hash: 5a81cb093f69236676b9a94bcbab8ffa
humanhash: tennis-maryland-carolina-glucose
File name:PURCHASE ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'536 bytes
First seen:2020-05-06 10:46:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QlClCUu/PUjt9z5UHLSDMEAzaKBJfnWExpV:QlQt9IWOnFz
Threatray 10'675 similar samples on MalwareBazaar
TLSH 05A4E1202AEF902BF3B79FF64FE075D69A5FF6733A06E55E148113824612E41CEA0536
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: khusheim.com
Sending IP: 103.99.1.173
From: Mubeen Ur Rehman.K.K<proc29@khusheim.com>
Subject: RE: QUOTATION 
Attachment: PURCHASE ORDER.rar (contains "PURCHASE ORDER.exe")

AgentTesla SMTP exfil server:
mail.villalefkothea.gr:587

AgentTesla SMTP exfil email address:
info@villalefkothea.gr

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 05:54:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uo2ptnbfx6ykytvfy4ah7caglciqgigjkmjhm3kz76tnistfreta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01c8966718aa1996c3b0460be4df08ec32e4a17af72a27947060a6fc07c7455f
AgentTesla
332287b244dfebbabac15b5b4dd3fc3bb6f488d3460c2de5259254136040d0e4
AgentTesla
70a47bc4b27037b13134fbccef50134102271d80cbe39e5d5fc7691e1ca01e71
AgentTesla
8addc01173e27e282faccde8d201c4f7a95530c95525ae3290cea5e9537e6469
AgentTesla
8ef32d6af947a4d8fe18a7d26f6407c3dbfe687d97d24551189cc33cce4a64a4
AgentTesla
924a88861bc8088ea5d9bd39765638b6376bcbe32930413ebb0dfb688554e0de
AgentTesla
ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172
AgentTesla
b7f19729b194bac7f587a7cc19778e925a218fec8106b23466367b2847b99ea2
AgentTesla
e7648810cfb22e44f944ce7ad2f58c6fb0d2577652d79d72a210e83938f716b3
AgentTesla
ee7bb1548fa55637eea3c95c32abe9d52bc0b51b560a1bc550d16e963d8606d0
AgentTesla
+ 10'665 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-9s7sxc8kmx/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Drops file in Drivers directory
AgentTesla Payload
rezer0
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5ded5d1e8d72f9cb5365460eb62ebb40799a2e48d2c7ac14e7cb6ad3214dfbcf

AgentTesla

Executable exe a3b4f9b425bfb0ac4ea5c7007f880658910320c95312766d59ffa6d44a658926

(this sample)

  
Dropped by
MD5 b7cf3530e3c9122520fcaba9d800fdd5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5ded5d1e8d72f9cb5365460eb62ebb40799a2e48d2c7ac14e7cb6ad3214dfbcf

Comments