MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0e782de977146a63ed996e43d1aeba0672346d956ef89486c3585303cc6227a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b0e782de977146a63ed996e43d1aeba0672346d956ef89486c3585303cc6227a
SHA3-384 hash: 617415e8c76ff828694187d30cd1233e72db20183a010459664971bdc035191133e2d1528849f57a03daa8e90f743dd6
SHA1 hash: d8712bf887ca8a0a7be611beb3dfde09d101e55b
MD5 hash: fa4392a6fe5e35ecc1e211fa5e0d1d9a
humanhash: august-wolfram-oklahoma-foxtrot
File name:fa4392a6fe5e35ecc1e211fa5e0d1d9a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:308'224 bytes
First seen:2020-05-14 05:57:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:kBl2yEoYxHMhopt4Tgb1JTofxMLb+Nc2Lneasbr7w1izb:ol2yEouHl1JTl72bsbr
Threatray 10'596 similar samples on MalwareBazaar
TLSH DA6429BDBB88B902F23D5DB251D2522013F1D1834D12D35F6EC86AE8FF517C9294A3A6
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Autorun
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 11:52:20 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wdtyfxuxofdkmpwzs3sd2gxlubtsgrwzk3xyssdmgwctapggej5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2240c11ab9505ff6c17ea4b7d03ccb3b072e19d94357ead07116ba108c9d900d
AgentTesla
2adb3891f61ab6b0331e50da04a3cbbfef3a578da513e8360cd567727ed5e790
AgentTesla
5c2be89f4ae2a9cb4f80b264b98026986b76c1f971a5ee7bfe138fcfdb196430
AgentTesla
7b30f4495b6650b1059c97b73bfb14d5ce76636cfdeaf3f5537a1973e625bcb4
AgentTesla
84690bd0d175cdc6759322ebb820a116edf59db2ea21362391f17da127684b09
AgentTesla
904d077a8445b8b25a33703b1a5d4e78a01f79a31e705d2634bb300aca54d2ac
AgentTesla
b00945cd0c4c0ec8a60178147f75757ceeb27574d8edad11f435ed7105a92e33
AgentTesla
c506e03e2ef24d1a95ff314bb7f9470e87cc27281570cf606d2a408097e82757
AgentTesla
e2a39496eb374c40af43d4e21ec63e98186c36d6f0bf8ebd1b25619a234dd9b5
AgentTesla
edf16d5a8a574b768e57a54d09c4bbce2476f25bdac71439d0a6a90afea1380f
AgentTesla
+ 10'586 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-ebjlch5g66/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe b0e782de977146a63ed996e43d1aeba0672346d956ef89486c3585303cc6227a

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/362256/
  
Delivery method
Distributed via web download

Comments