MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a559613d9cad13f731c91c48d14fd8fb0633b5ca7f663a454b188c51fdfedc9d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	a559613d9cad13f731c91c48d14fd8fb0633b5ca7f663a454b188c51fdfedc9d
SHA3-384 hash:	85d3ff72358ac7fd36857156e30b0aeb9bdbfadc082af1d129499270b143fbb5426f69bdd86af2ffaa6b2c7a0225abee
SHA1 hash:	c18837cf0a899222a957fce1ac63e7abbe2ed25d
MD5 hash:	af6af84977a4ea04478ebf59f92a873b
humanhash:	lake-bakerloo-connecticut-social
File name:	HAE F21- PI.XLS.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'491'968 bytes
First seen:	2020-06-11 15:10:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep	24576:0AHnh+eWsN3skA4RV1Hom2KXMmHa2yR/dsItpbaHpHBU9wza7WViD5:Dh+ZkldoPK8Ya24pbaJEwkr
Threatray	11'115 similar samples on MalwareBazaar
TLSH	F965AE0273A19C23FE9FB1735B55B2056678E9142123C9FE129B9B78AB701611E3D32F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: youngonedhk.com
Sending IP: 103.99.1.147
From: Shakil Mahmud <smahmud@youngonedhk.com>
Subject: Re: PO# NC1DL70 STYLE FA'20 KSI VX-PADDING ORDER-YOC
Attachment: HAE F21- PI.XLS.exe

AgentTesla SMTP exfil server:
mail.alaboor.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/9037/

Detection(s):

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL

Sanesecurity.Malware.27686.AidExe.UNOFFICIAL

Sanesecurity.Malware.27681.XorExe.UNOFFICIAL

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL

Gathering data

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-11 15:12:08 UTC

AV detection:

28 of 31 (90.32%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=uvmwcpm4vuj7omojdrenct6y7mddhnokp5tdurkldcgfd7p63soq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0972fdc5b1af8973dd3c44c276a9efe132760c5dd674dd002f14d2e78a95d92f

AgentTesla

4924046e9d0bda3e72066725e698cf3497c5b2f980f036ba2c70f833c461acad

AgentTesla

61a1e5d143ee0c8d5929ac7386b60fa13baf8e43745f644aebc970e267b6f67a

AgentTesla

a6e82740a814f93bbe3eae71109f479775246fab0d979de438bd6c74a388800a

AgentTesla

c72bce28d1e0909a66971dfa01aa823b767a73da5cedc0679e962dc9230fdf56

AgentTesla

e4d7c1e05b2a55ebc758e7f66c3828b66eaf586d9ab648a189cf294a9fb45eb3

AgentTesla

e59cd07929dcd890599b9ef376fb022a9b0408cd3547a6ebcbffca87932dd631

AgentTesla

ea7f07a6436f26d7dd4b2a091a2aa1fb31b3c1c84c40ba7164ba68014a57dfb0

AgentTesla

fe141a7b82131dc43c1e594b67eb347c63d52a43d1d2d70d4eb05f5c778883d4

AgentTesla

+ 11'105 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-h752y5zkhn/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla Payload

ServiceHost packer

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe a559613d9cad13f731c91c48d14fd8fb0633b5ca7f663a454b188c51fdfedc9d

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/9037/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample