MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a98bc56a3689009619845fc3491c944ee12408cfe457e0a59fb2fae808c784f2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	a98bc56a3689009619845fc3491c944ee12408cfe457e0a59fb2fae808c784f2
SHA3-384 hash:	a6a5c3bcb6c90e6c6fa9c03080ab010f3d3bf2930dc0dc3029ea3fb9a1c669f776cf0519b1e05517779be7445addbd3e
SHA1 hash:	34377b298eaf020b635310e65b91ac729fa87972
MD5 hash:	3e720d22703dca6b558d1eb8bd522d84
humanhash:	one-missouri-white-massachusetts
File name:	payment_copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	883'712 bytes
First seen:	2020-06-15 13:12:45 UTC
Last seen:	2020-06-15 14:56:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:XxoeWpUth1PFyYO0Ejm+wx4IxtpjEEKoAmQ7:Xth1PYYO0Ejm+wOmtpjO7
Threatray	140 similar samples on MalwareBazaar
TLSH	E415738B1222C297D5698AFCE4203FF80D15CDBD2746D391A2B935DB2B7F7792241236
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: slot0.en-plasnic.com
Sending IP: 45.58.39.117
From: goods@en-plasnic.com
Subject: Payment Confirmation
Attachment: payment_copy.zip (contains "payment_copy.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

2

# of downloads :

69

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10438/

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-15 13:14:08 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vgf4k2rwreajmgmel7busheuj3qsicgp4rl6bjm7wl5oqcghqtza._file

Verdict:

unknown

Similar samples:

0d4623e27386fcbb4755a97f2552b141f7ffd67b56feea2768c49920bd0b081d

2e8f8383cfdb7a42c9e5ced3469619f6154b874616a2dd793693f3b53ec5cae7

32e7be2844e7be1f6ae7d262eeebe64926946ebbc8e2d91ce3760b8e1d10285c

740ad559a3b83f05776ac9f2c650c3d6268d63848c556770c57a9e6edd9f03f5

7d01a97eb5e90a8c74c6a16961ab1a1bff4a1408779e46cf769bb5889d2d44bc

c50ba6556752607323e0e14d5429961d9af3804d9b45f8c7755ec1709efc6af3

dd1dbd01bac8f1ba75f1279f9684e5f6a706559acaa2db285697c5f5e3258a31

dfca8cf09994229afec678b5c279d247e3e69c45f2878f816025b4933f3bc3b0

f61fba92541b23921c7904cd689121c68b8bf69780220586227bf01c9816c68d

f669e4406244692e23e031d355e53b51dee1b96f1e988172a2b1eabcd0d82292

+ 130 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-r9qz3hp6ta/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

ServiceHost packer

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

zip 12882b54a8dda6cc782150be3a369aa64354a0c4dc4d4ba0bedf74660302126b

exe a98bc56a3689009619845fc3491c944ee12408cfe457e0a59fb2fae808c784f2

(this sample)

Dropped by

MD5 7adf436869a0154e6f477057d56d55b6

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 12882b54a8dda6cc782150be3a369aa64354a0c4dc4d4ba0bedf74660302126b

Cape

Cape

https://www.capesandbox.com/analysis/10438/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample