MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e38a8ec3125711431780be0140229b6389d3b60a3bbc7aa134cc33bcc50f9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0e38a8ec3125711431780be0140229b6389d3b60a3bbc7aa134cc33bcc50f9a
SHA3-384 hash: 97d2c32b2f1d64513894513e65f52e12688a8edac515999046df3f034eb4040465140ab8b7c3366032d76be180c3d1f0
SHA1 hash: 02ca1e91dac9e276e7043d0f80f8f0ea913ac5a1
MD5 hash: a44695a060b502318026bf92f4b7e0ec
humanhash: saturn-montana-leopard-massachusetts
File name:Payment Slip.scr.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:511'488 bytes
First seen:2020-05-20 11:27:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5dT7ANlrczY3Sic0CE6KtATHSQyPExhQILkDU0iX:5dvAlrF7TA7S+NLMU1
Threatray 908 similar samples on MalwareBazaar
TLSH 80B4F1653169490BD1E8D0FA4882209403F45A77168AFFC64DCEB1DB3ACFBEE4907997
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: s1v4.e-lietuva.lt
Sending IP: 213.197.180.193
From: Vadyba <vadyba@bolagri.lt>
Subject: Fwd: Please confirm payment
Attachment: Payment Slip.img (contains "Payment Slip.scr.exe")

AgentTesla SMTP exfil server:
mail.napred.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-20 11:35:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdryvdwdcjlrcqyxqc7acqbctnrytu5wbi53y6vbgtgdhpgfb6na._file
Verdict:
unknown
Similar samples:
38c2603cbbeb9ee8216681d4def420dec1bb778379c850c168830d72dc7afaf9
AgentTesla
3aed1fc591ecfec392005089c870bd1f645f352a99912c1de774918e1de67f8d
AgentTesla
41c7d6bad3849fb7c5365745b2be8678e3e8ad63d5b4e8329b1b3206c5d1adf6
AgentTesla
4cc5578e9b753897ef8d0659635de7aab82fe0e17b99caf8b622ba16b0ebb764
AgentTesla
664f6eaa9564770b3bcf02dd9f3627bde68bf98de0d9ae17829a1b122060a313
AgentTesla
6b190569425a9948a6a74bb7acfa11b02f32688ab673e39ac48a44d3d258a825
AgentTesla
6f6e1498d9949546bc807123b5f8b8097bc9cd0c0edc29624e19d70e601cee57
AgentTesla
ce132a11e36407341db1d51019d28597718f90e203ff091f2e03d72d8c6f771f
AgentTesla
d07a04d317ef504a92d8dcc48a11d31a0cf61b9aed9054db1de93ad77091ae69
AgentTesla
d1befdea5b845b2f44b7b2202bdf3d9e09a26fda3287581db28af324c865cdec
AgentTesla
+ 898 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-eypr3ja9dj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img b1728b36ea2fc5a169ea9812b23e8456eaa17ed915f98e415b9d97bbdd5078c6

AgentTesla

Executable exe b0e38a8ec3125711431780be0140229b6389d3b60a3bbc7aa134cc33bcc50f9a

(this sample)

  
Dropped by
MD5 5949f9e22a38a40aca5d7b334cef03f5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 b1728b36ea2fc5a169ea9812b23e8456eaa17ed915f98e415b9d97bbdd5078c6

Comments