MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ae8abf7278b0da19bfb43d20b2d6901dcc6c69919dfa2e4ae26acd624abd33dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	ae8abf7278b0da19bfb43d20b2d6901dcc6c69919dfa2e4ae26acd624abd33dc
SHA3-384 hash:	689f1c0ab3161f158bca189820e4e57cc5c41dc35f0a38173d7aa1d49f74f5eab4a5c85b7b906491794c3e27c04a5e7c
SHA1 hash:	ff97eee55624994c213d1e3ae052f78758b9c79f
MD5 hash:	7f795037346c4358edaaa19eae11fe55
humanhash:	twelve-zulu-hawaii-enemy
File name:	gpt.alarmasystems.ru_wp_content_themes_twentysixteen_inc__pass.exe.malw
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	285'184 bytes
First seen:	2020-06-17 02:23:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	6144:iP+FsgPQ7RHL5XRdxmKGy7mezOdp/xFE:imFUdHL5XRdxmK9mezc
Threatray	10'662 similar samples on MalwareBazaar
TLSH	1554296D6B48B902F63E2D3349D1567013F1E4874E12D70F6FC45EED6B627CA2A4A382
Reporter	ov3rflow1
Tags:	AgentTesla malw

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/19006/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Gathering data

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-06-16 04:57:08 UTC

AV detection:

27 of 31 (87.10%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=v2fl64tywdnbtp5uhuqlfvuqdxggy2mrtx5c4sxcnlgwesv5gpoa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

251c55b7c7c02eec9a87eca94bb01f653317ef5d8278aeb2b511194d7057a675

AgentTesla

40a33fa7eeec1caf0ee27f87a4c3d8fd8f1475789191a1693329e2fa154b02a2

AgentTesla

5d9e5c4b1119733ab16a4e156bc6637e43ca4d7c185da22c5b5322ba72817477

AgentTesla

96b854630806f4f57fa28534d9b478907db67c016bd606ba4b0d31af56f12d48

AgentTesla

abfab2713c15881c249a3779e3c51a32b173c1e899b4a4923399d865fa68ec03

AgentTesla

b2bcd8d3a82d86459384063b335f5be3c9615de574c4e2bc1ca6963eb1c9b721

AgentTesla

b358b1ea537bc5e2dd3ddddbd1e9884770665569d5baaf20c2edb73cdd90ac60

AgentTesla

c953db5455cedad0e98747749e5a6df0d5d10362831bb472ea5c023868642f01

AgentTesla

e016bfbd170c4b15789abf7fa2ba30bec2bd785e2ec9b9fc759722833ed88a87

AgentTesla

+ 10'652 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-t6lzn1zdex/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar