MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac344ea62e7c953aeb54edc185c52d7340184a32b93e7bc958f32f7857df80e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ac344ea62e7c953aeb54edc185c52d7340184a32b93e7bc958f32f7857df80e1
SHA3-384 hash: 1a0487ccf6346d699c9834aadc3107e631c95a470d609d991c1058118fe88abedc31bbc437f9136c7d43bbc570f21751
SHA1 hash: 8fcef6db66ffed1f19db15cb80a37fa1ff0c62ec
MD5 hash: 9628aa86091d7c3605a183c02a6e86a5
humanhash: mississippi-mississippi-beryllium-beryllium
File name:scan0536.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:569'856 bytes
First seen:2020-05-06 10:02:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:SEhim6exLhTVsxbDEt0qrnDCWUmeRlS25tTPoXJpdPiFnhn:SEhiz4CJi1GWSV5dcJP4hn
Threatray 10'971 similar samples on MalwareBazaar
TLSH 11C4C099F2A1A8DDD41BF1F89D75AD2122133D6995264A0B307B312D8D7B383CD26E0F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.linux66.papaki.gr
Sending IP: 136.243.173.169
From: Jina Choi <associate1@asatmia.com>
Subject: INQUIRY MATERIAL-013486
Attachment: scan0536.iso (contains "scan0536.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LuheFihaA.12245.1221.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 03:59:45 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vq2e5jropsktv22u5xaylrjnonabqsrsxe7hxsky6mxxqv67qdqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
avemaria
Create hunting rule
Similar samples:
0702729c34578ee78cf3cb883ee298fc4aa67dbb433981790605e4e4afb642ff
AgentTesla
0bb5de79c5854bf640949e0babed8b67ca01e50eecef19a66d0fe771d410d218
AgentTesla
2ae5302a997467e32d4822fbf756f9355d0474facb9cc70dc65eaa382f055e08
AgentTesla
7869efa11c5b54d99fe99255d6875d53dbd6e347b046f8b6a54debc3a59e62cb
AgentTesla
83c6d11ba6f96505846001aa195d3daced4d9c8fd2058fc8a68a049dbd6066ea
AgentTesla
9c41470416c33f1ac91bdf39d8bbec407e0214456f9d298e736cd62586345676
AgentTesla
df522ebbb24be87ed9c2cd238fb767767f44ee853e37593039aec7e5723b178a
AgentTesla
ea2b4579502edcbf620e89086f0d701f1533ca67f5dcaec50a57fb4e8b8e46f5
AgentTesla
ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9
AgentTesla
fc8479f3c23fd3419b4ac1145b331d45d6fe1959faeec7590a013dbc79019332
AgentTesla
+ 10'961 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-asnhnflszj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso fb679ead82d5b2635ad31383aa9d831425ee19d0c50055927bb6971f98f8774c

AgentTesla

Executable exe ac344ea62e7c953aeb54edc185c52d7340184a32b93e7bc958f32f7857df80e1

(this sample)

  
Dropped by
MD5 ce10f3841e437b26b5d61795ae32b5a1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fb679ead82d5b2635ad31383aa9d831425ee19d0c50055927bb6971f98f8774c

Comments