MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6d937290d2d478dbb5ac269b00586d6e2b1d85e667bb137d1b883f6006bd0d6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6d937290d2d478dbb5ac269b00586d6e2b1d85e667bb137d1b883f6006bd0d6
SHA3-384 hash: 1756992f62dde0941372bbfe0f25b824eb08da70256c367c46efee41ec81da513dcfce2ab2e1e90c387585a3f66d4925
SHA1 hash: ac45dd5323138baadc76367dbd9f09ba605f7cd0
MD5 hash: ab5f7e195bf6453d7c47c99515d3e5ed
humanhash: minnesota-pip-foxtrot-kilo
File name:ab5f7e195bf6453d7c47c99515d3e5ed.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:309'760 bytes
First seen:2020-05-05 11:29:06 UTC
Last seen:2020-05-05 16:09:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:LxlY0bXNJuT1nLrAx1hgKo72K1yfBq3LxwEA++KIA3kyub:Lxg1paI4Bqtb+KIA0
Threatray 10'753 similar samples on MalwareBazaar
TLSH 49642B7E7B88B902F13E1D7251E2522012F1D4435E12D34F6EC46AEDFF617C92A4A3A6
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 12:15:39 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3mtokinfvdy3o22yju3abmg23rldwc6mz53cn6rxcb7madl2dla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01bc78a6f3181017aa8777831c018ab764d19a01dcc20d0dc7337954d31e2f59
AgentTesla
163ad84d7db148a5673e87d8134a699577c55518b6313a8ab81dc61fe0ca6eef
AgentTesla
2391c9beb21916a6b7f18cd2dadf9f9c19a060b75791f6052e65a683161d7a60
AgentTesla
2c6aa8d5fd233661b6d8c0130af1a0c63539aae4c05fb03d74859ebeec3b7cc6
AgentTesla
373bbf9fe0aa747106f165d07c474e8e73c891e0150c87c90d8f389a3621c044
AgentTesla
4917103eef77ce8fd5beb88efd446180445e0ee6ac933f5e42443d3673d62bc8
AgentTesla
6dc407eb41b8a813558364ae42dcdcce2019209615cc73141b9b6b91de15fd29
AgentTesla
806f31221f182e4a97f68f267894aa671f18f5a8a112bf70ec1f64fd078b8000
AgentTesla
d2b81427fe1f056fcb3678852c1f56cb4dc21fe8c3cc7dc9f83cb77144284164
AgentTesla
fbc8a4a7c795fa996462ad57db81b1b8c06e95cd9f6a6c0564c749682cdd6692
AgentTesla
+ 10'743 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-74ggv62kt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a6d937290d2d478dbb5ac269b00586d6e2b1d85e667bb137d1b883f6006bd0d6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/358350/
  
Delivery method
Distributed via web download

Comments