MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af9f1fa67d9f21a777af09c9edcd8eba3765b556551a04dcb95b8163cd3b0c6d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af9f1fa67d9f21a777af09c9edcd8eba3765b556551a04dcb95b8163cd3b0c6d
SHA3-384 hash: bcdfe5c09a8b554b6d30fc6798ffffe5d43cd6d9182ecb2f60f69c639f24661413e0b5b959a9791d5d9b92a487a1b71b
SHA1 hash: d8deecb77effd786c02a40f316f9cab08b07f28c
MD5 hash: d6f9636c227c25968edb9405f41ecec1
humanhash: victor-aspen-chicken-nebraska
File name:d6f9636c227c25968edb9405f41ecec1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:287'232 bytes
First seen:2020-06-10 10:25:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:ZBKUPtL2GVZcgaeeB0Dc0WMRqUparZk2:y0t3kBZU4q
Threatray 10'640 similar samples on MalwareBazaar
TLSH B354296D2B48B902FA3D1D3349D216701BF190834E12DB4F7FC46EEC6A527CA6D4A396
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.espiralrelojoaria.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 15:24:03 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6pr7jt5t4q2o55pbhe63tmoxi3wlnkwkunajxfzloawhtj3brwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05f08d66b6f118c60851b9b3a9f86eb9db05955af1bb2b6bbdd9b5308972b3b3
AgentTesla
294cf2895407982e76f245557284a2c6eec761afd0d00d79dd30564a87a9bac0
AgentTesla
5568021e42a81a2755fd6d968efa50b13f99a9997d8973097231079de84832ad
AgentTesla
70e55061f4e965a512c042bc1541f3d4e5a910a493ffb63d5a123f9c82a94f70
AgentTesla
7e393bcd518415ad70e7a6924c8798391400554fce9c2a639a891dcda4f8e230
AgentTesla
916af86a5bfa7f558b376344b9aaf6e4440d21f2b38da0bb9fd60b1d4a578809
AgentTesla
adbdc4cbb6b8805700fcfd618e763872f6960f5989a62c9cdffc961d9b0f3e39
AgentTesla
af7aa3b76b8d11ba1d518006e2b4ea6d574573bd2bba6594a57825e33f9ed87c
AgentTesla
b762913bb02e0e7f3b2dd7be4b813923fbb0389e699d2b6f846bfecad6c8c72a
AgentTesla
b81898c8e22774e33768ab962a3acca0c718197c2b4434f3ae51761569bd7ccb
AgentTesla
+ 10'630 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-1q5takpae2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe af9f1fa67d9f21a777af09c9edcd8eba3765b556551a04dcb95b8163cd3b0c6d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/385305/
  
Delivery method
Distributed via web download

Comments