MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a9d7b84cfc7fa078466ceade8534942fb80b0acd25ba3f8b848dfc12dc1fae21. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a9d7b84cfc7fa078466ceade8534942fb80b0acd25ba3f8b848dfc12dc1fae21
SHA3-384 hash: 1cfea99378b801ca95cf4b8a843c3d66f5006cc6c4a5f1d98d6d4e350cd1145dedbf2c1c09c797cb826b601f539e2b34
SHA1 hash: a0a833039bc5cb87bd1ed66d62f1982313e7e134
MD5 hash: 5a79ff274a3007152a7bdb2dfa7da370
humanhash: speaker-berlin-hotel-papa
File name:Shipping document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:748'032 bytes
First seen:2020-06-02 07:44:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bea360bfb27d8eea8cfadfbf8d4f992d (8 x AgentTesla, 5 x Loki, 1 x NanoCore)
ssdeep 12288:HP3Ap0AcJKfs3RrAIaNq4uoLGv/fTAG/SeLO8LJQE4XykS2ORUp36O:vgKKsmIaznKHfsGqeL14CdeZn
Threatray 11'648 similar samples on MalwareBazaar
TLSH A0F4AF22F2A04433C263167C7D5B77789C3ABF302A6469866BE5DD4C6F397813836297
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: "DHL Customer Support" <ilia58@dir.bg>
Subject: RE: DHL Shipment Notification: 6338632252
Attachment: Shipping document.rar (contains "Shipping document.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 02:15:21 UTC
File Type:
PE (Exe)
Extracted files:
286
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vhl3qth4p6qhqrtm5lpikneuf64awcwnew5d7c4erx6bfxa7vyqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
01623a798b7efb749c3409651a85050b58327c7dbe59740f79dac9b78ae24c9b
AgentTesla
120d96195361d6479ef060e244d7337939541c59b434d329103627f35d65f697
AgentTesla
33fefd2ae3ff75bcae6718f2abbc99bc7ca047a4543c5420883eb39e1128e9e5
AgentTesla
6b4d7ac31a05055268f04ba4a727a23c12e25892aa8ff5896b28d21ab820aa55
AgentTesla
cd4ee674aa9d15d9b3ea4786f008b850340a14db344d5ba7ddddd0ce734fb3fa
AgentTesla
e5d0489c5b615585c49b6389f66c7f9e3694078e7648272db4632affcc5457be
AgentTesla
edfcf01c73ca6335d2040ac54b4d1513a4bb1ae7756e2ead34ddb6b03fb044f7
AgentTesla
f02f1aa81359a40dc5654db55fe211c8dff8c88a790d10089fcbca1840a84c3a
AgentTesla
f3232a34ddf3d75e57216467b754d135204fddc84a1755d694aef2c4a3b599e5
AgentTesla
fc849ef113b6dfd401b03e989e2888e30c62af7938347a2bbca04153f5b36249
AgentTesla
+ 11'638 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-1q8jfbj7cj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2503c878490378d72ff4570249492352824157b7ca176764f31fe76f056c4864

AgentTesla

Executable exe a9d7b84cfc7fa078466ceade8534942fb80b0acd25ba3f8b848dfc12dc1fae21

(this sample)

  
Dropped by
MD5 5d88e0f725389e4f6d62cbcced7968d1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2503c878490378d72ff4570249492352824157b7ca176764f31fe76f056c4864

Comments