MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172
SHA3-384 hash:	f9a8cff604f3d3a8ed901f36381289a3f2661b56cd9944ca381e667df39d8d95eb581426fb182ccd8c2b4f6584409071
SHA1 hash:	6289e8a13941fb004acfeb03fb2ab028d159d0ff
MD5 hash:	b4c00ac3a56c73070ccd0e25497b370d
humanhash:	happy-johnny-salami-fifteen
File name:	vzorci izdelkov.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'723'240 bytes
First seen:	2020-05-12 11:47:17 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep	24576:Btb20pkaCqT5TBWgNQ7a0SYYiqK00fz2R4OFfRD/drjJ2KbSI6ABmQo:SVg5tQ7a0s1R4cfdZJlr5BmQo
Threatray	10'930 similar samples on MalwareBazaar
TLSH	1085E01363EDC361C3B251B3BA56BB016EBF7C2906B0F95B2F940D3CA970162561E663
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.mzsa.ru
Sending IP: 46.39.246.153
From: Корнеева Ирина <logo.lesce@siol.net>
Subject: RE: RE: RE: PARIZ
Attachment: vzorci izdelkov.zip (contains "vzorci izdelkov.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Trojan.Ramnit-1849

Win.Trojan.Ramnit-1847

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL

Gathering data

Threat name:

Win32.Virus.Ramnit

Status:

Malicious

First seen:

2020-05-12 13:20:00 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

31 of 31 (100.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vrplwiuwin7zqeajsq3hjzjqohtbktdqwk5eop4bni76zgsc2fza._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0470f08d56065fb5c78585dcc719c097276d9831beaa6d92c5e4b9460b8fe22f

AgentTesla

0bbe99d89a3e5e1b3ef7a9a9c6763ef85fb21a280fed3b913102e71d2368bbb6

AgentTesla

2b47982775d5a2c6ada5d6be317189756c51c91ae77490e02f4f999bbbe24d49

AgentTesla

5b0318eb9cce4cbe0d3b9e157e018efe32ef71008472f5e5238f1939361ba96d

AgentTesla

8addc01173e27e282faccde8d201c4f7a95530c95525ae3290cea5e9537e6469

AgentTesla

9425f9a54ad43dca39af1cd5f86eb4570927c5ee5d21cbe69e9ed2774fc1f676

AgentTesla

aea00ce89a5c0cc7c73381533180c5968ce79341516a262ae938a31acd7cadd2

AgentTesla

c1c47c03448a9f0797fcb2ddea8c5fdc9e3dbb13ed3bf5a3784800df490356d9

AgentTesla

f8cf294263a5456fabf8b475376392198c9462f7035714d77f0e31ab437332a7

AgentTesla

+ 10'920 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan upx

Link:

https://tria.ge/reports/201109-6kdljrraen/

Behaviour

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Executes dropped EXE

UPX packed file

ServiceHost packer

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

48efabe37e69a952ccdb16bfb789f0a9

AgentTesla

exe ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172

(this sample)

Dropped by

MD5 48efabe37e69a952ccdb16bfb789f0a9

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample