MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a6e82740a814f93bbe3eae71109f479775246fab0d979de438bd6c74a388800a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a6e82740a814f93bbe3eae71109f479775246fab0d979de438bd6c74a388800a
SHA3-384 hash: 6d4c2459cd884d9b37095ef839f3e11e55f31ce74c0eb4ca0514fdadab8a7736927bb51a55e4ffe8bf04999691295ccf
SHA1 hash: d43aa7644cc47deca185cdab3490e2f43b5ebe67
MD5 hash: 3eb99b9ec815d3d96305fb8f905978ba
humanhash: grey-ack-lamp-eighteen
File name:send the quotion please.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'764'352 bytes
First seen:2020-06-26 07:15:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:XIvZTGArRewRWRKlvSUsXNNB15zMV0CSlWo6v4AqkkYLHqRpHP1uWj:4vZTGlYMYvBsXNRdCck9rynj
Threatray 11'126 similar samples on MalwareBazaar
TLSH 1A852355276D9523CD794BFEF5A0362503BBF0017A96E2041FCA21EB6C6BB8346439E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ghhaewae.com
Sending IP: 103.99.1.174
From: Ramanuz <ramanuz@ghhaewae.com>
Subject: Padding, Down & Scrim booking for Timberland Our#201-5139~5140 Supplier:Youngone
Attachment: send the quotion please.zip (contains "send the quotion please.exe")

AgentTesla SMTP exfil server:
mail.alaboor.com:587

AgentTesla SMTP exfil email address:
msaheen@alaboor.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/14682/
Detection(s):
SecuriteInfo.com.FileRepMalware.21253.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a6e82740a814f93bbe3eae71109f479775246fab0d979de438bd6c74a388800a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-26 00:10:24 UTC
AV detection:
22 of 31 (70.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u3ucoqfict4txpr6vzyrbh2hs52si35lbwlz3zbyxvwhji4iqafa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0972fdc5b1af8973dd3c44c276a9efe132760c5dd674dd002f14d2e78a95d92f
AgentTesla
1fa407bb5df8b443b6a7af6731e5b525f7f70742e269ffc91c56c6675b53b44b
AgentTesla
2add7ea27d82c525f1cd1fb7170aa4c94a095420189b5a8e41d6533313eba073
AgentTesla
4924046e9d0bda3e72066725e698cf3497c5b2f980f036ba2c70f833c461acad
AgentTesla
6a84a6afd624f252d7762e4f05125dcc731c1bc52556c5af0a9986c8149e1f1c
AgentTesla
7bfef06a2f15aed4eac113ed1f95d62d9734fd8ae39aa841b8e66e6e43699266
AgentTesla
81877c179e72019b2d31b9c4cf64fb7a44b8929e1fc0f6da28bda5e14a7be2c5
AgentTesla
a559613d9cad13f731c91c48d14fd8fb0633b5ca7f663a454b188c51fdfedc9d
AgentTesla
ea7f07a6436f26d7dd4b2a091a2aa1fb31b3c1c84c40ba7164ba68014a57dfb0
AgentTesla
fe141a7b82131dc43c1e594b67eb347c63d52a43d1d2d70d4eb05f5c778883d4
AgentTesla
+ 11'116 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200626-bhvtdd6j7x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Modifies registry key
Suspicious use of SendNotifyMessage
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7b1160f54c8ac9a114f36894e58fc1df1b28f681f833fdcc0d0b8da6cd2bffc6

AgentTesla

Executable exe a6e82740a814f93bbe3eae71109f479775246fab0d979de438bd6c74a388800a

(this sample)

  
Dropped by
MD5 d4d2830397613184beeee2f2ac873c4d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14682/
  
Dropped by
SHA256 7b1160f54c8ac9a114f36894e58fc1df1b28f681f833fdcc0d0b8da6cd2bffc6

Comments