MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aeaaaa17804d2291dac3609fcd80d7f3859d2d8a1fa01551174706430699211c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aeaaaa17804d2291dac3609fcd80d7f3859d2d8a1fa01551174706430699211c
SHA3-384 hash: ac3d09c31bce2308f6707ea3e4c57dc30737bac49407c9fa07e906fff28e836eb5fc090af467524462aa3d3fe6d14914
SHA1 hash: f80f23c6ebfec5a034de3feab9a73c8056921386
MD5 hash: c91ae4814055b084b755ac597cc7d70f
humanhash: sink-mobile-fillet-quiet
File name:c91ae4814055b084b755ac597cc7d70f.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:680'960 bytes
First seen:2020-05-20 08:57:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f77bfe3e05f3c4bddfed9f7ac7a0d9db (5 x AgentTesla, 3 x Loki, 2 x NanoCore)
ssdeep 12288:DYs1kF2Ax/GKnqnXMfbxes9ZnBVgN+m0J+XWPgZMsITcwno0BR6B5N:DYgCy0qkH7zIiJ+XWPKyTcwjBEf
Threatray 11'134 similar samples on MalwareBazaar
TLSH EBE4B026F2D04833D163257D8C1B97589D2ABE513E2899B62FF81D4C9F397813D2B287
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.tandempakistan.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.17719.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 09:36:17 UTC
File Type:
PE (Exe)
Extracted files:
265
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v2vkuf4ajurjdwwdmcp43agx6ocz2lmkd6qbkuixi4degbuzeeoa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1bd2167a8fcbf887fef44678673db17761bb421b8f3b5144a2fb942d5f80ad95
AgentTesla
5a90f8100f8580ed07829478230ae096c5dc561211fdedaebb5e97c863b54f3e
AgentTesla
7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953
AgentTesla
83d8b3913153282a251fc2f7bf74f701e02969441341297823957e5d35a5c3b0
AgentTesla
91460c91d05256b76b68f3f1167e085e9a1f7dfcbe6bb2e89eeca610d7cb0d83
AgentTesla
a6a8453fdeb8267c6b076ac3bbf7c055399b7d11cfbc1247f745c09a62a94aae
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
ba4c22cd68fe1d4fee2c9e47f1749b77e3295113d2f7ca8f50c03c61dc5cd23f
AgentTesla
bb6ff72c412db950180fbb04fae1919c36c6d8695c3167e2d11853ade00baeb8
AgentTesla
c6e26d183274fdfc63535e49ede53c4e7894de05f0054341bb031598186f138c
AgentTesla
+ 11'124 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-ynp73m94as/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe aeaaaa17804d2291dac3609fcd80d7f3859d2d8a1fa01551174706430699211c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments