MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9316a887a00dbf992833394b7a4e05db6e6e6929f66419a06ebbccf358e45b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9316a887a00dbf992833394b7a4e05db6e6e6929f66419a06ebbccf358e45b4
SHA3-384 hash: 86220caeaf37e20aa8cec04fab558af203652b93f695f22678db8ff700b1ae1a68331c54dcc144d9a659bc7028b8e3ba
SHA1 hash: 2f3d512c076053b14edb8c02ed7a2a9a64833fc4
MD5 hash: 6ece2e8f7890352dd190713fb6e21eb9
humanhash: carpet-blue-apart-steak
File name:RFQ nº6200134210.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:578'048 bytes
First seen:2020-06-24 05:38:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:QiNMfwfRe/OVXjM4gw2kCCxAAx5tytbA7Ej4QHC:dNNReGVjM4HzxBr4JJC
Threatray 10'700 similar samples on MalwareBazaar
TLSH 7DC4E01636DCA927C32B05F488918B1513A92E9A75C5F29D7CC2BA9FE4F23ECC4112D7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: m97141.mail.qiye.163.com
Sending IP: 220.181.97.141
From: Gavin <gavin@pampering-pet.com>
Subject: AW: Urgent inquiry – UT / 06. 24, 20 (SZS)
Attachment: RFQ nº6200134210.rar (contains "RFQ nº6200134210.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13410/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a9316a887a00dbf992833394b7a4e05db6e6e6929f66419a06ebbccf358e45b4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 04:03:45 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=veywvcd2adn7teudgoklpjhalw3onzust5tedgqg5o6m6nmoiw2a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
023a43d370c2ecd948a9de58a536be43e2ebce039fead7754987fd135f35f34b
AgentTesla
031b0bcde6e169070993f85f816ecaf48f46a90f40f2d08cf5e0089d11d25e32
AgentTesla
52076bdaeca2aec859341f506d295ab541af5f1454be18dbf869694b613395c7
AgentTesla
666b4d8521af8e8c149431fea4f3fce4d859b9d102e894928edb0e005ad8153d
AgentTesla
76933bfe9afdf8d266352155f09995acadcab23345fabe2518d5bf15d45c9cd4
AgentTesla
7ce1d1ee1151f6afdcba77604444c9a5c46b2787131658b4cb6174336e96e11d
AgentTesla
851f1641fb283113cc5feb03c807bc82dc4d85ecd22ab8ff091a8edd71bb45ed
AgentTesla
a52712e0562c94f1a27207fc40845d33d2a1c8ba03fa14c66edf72c5d8351e10
AgentTesla
b8214924a598b9fd3193099fecd6c3d09f06dc5e3a9af098642c7d5327c05cd3
AgentTesla
db75415f8ca144af24173ffd301bdc910b46181ee70ef6c8d94553a61bc04175
AgentTesla
+ 10'690 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-5xc225jhrn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar e8ac68862fad9fcf7dd8a2ed546a17c2315a74ad40b7f73e18e2566dc29cd637

AgentTesla

Executable exe a9316a887a00dbf992833394b7a4e05db6e6e6929f66419a06ebbccf358e45b4

(this sample)

  
Dropped by
MD5 0093dc3079b6ba7568cf8f59afc3cac3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13410/
  
Dropped by
SHA256 e8ac68862fad9fcf7dd8a2ed546a17c2315a74ad40b7f73e18e2566dc29cd637

Comments