MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b8bff3f4fdb1166391484333f8b1ad46c093698a7f4a84b1bba3dc9a669c55da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	b8bff3f4fdb1166391484333f8b1ad46c093698a7f4a84b1bba3dc9a669c55da
SHA3-384 hash:	5c5631e349a91775aa665ca75a1833bcc3e894aedc35008da1670cb1317ec1e186caee0a00724c96d784a3b1a9537074
SHA1 hash:	fa524ede3678ee4ab91e6de78a248b28c9b29793
MD5 hash:	56d74258c4d9a12bd72ebffb128d8b75
humanhash:	echo-asparagus-pizza-comet
File name:	56d74258c4d9a12bd72ebffb128d8b75.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	284'160 bytes
First seen:	2020-06-22 11:38:23 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	6144:MUl0ypM9GK+md4EEGbyNKqZNft8G6M2j:Zl0yRbmODNfC
Threatray	10'602 similar samples on MalwareBazaar
TLSH	AE54396D2B49B902F73D1D3249D2166013F1D0874E12DB0F6FC41EEC6B66BCA7A4A396
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
server257.web-hosting.com:587

AgentTesla SMTP exfil email address:
whesilo@burststreamwq1.website

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/12555/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b8bff3f4fdb1166391484333f8b1ad46c093698a7f4a84b1bba3dc9a669c55da/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-06-22 10:12:21 UTC

AV detection:

23 of 27 (85.19%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xc77h5h5welghekiimz7rmnni3ajg2mkp5fijmn3upojuzu4kxna._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2e5bcd2bf5dfcf1c5ae278f7e725ed488c08323b485b1b5676b90085bf2bce0a

AgentTesla

44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2

AgentTesla

5304693d6029d4d724fbf463b0850f718f978c96f2851769c6e5d83c6995c41f

AgentTesla

63df2602ff2676e438e25c4544562736eb3c4da856280600d7790edcd0478914

AgentTesla

9ebeccf2c2b987cf1506b20018874f44c8aa28c477cf33dc4f6ca45bb7f25a9d

AgentTesla

b31c888c6d36ec26e3c9d3ebd99c56abc17f860d008700e3e7687007bd09cfcf

AgentTesla

ca8bee78548af15a74451cdf1b85cd25033cd76d340f974d98b315f2d4cc7110

AgentTesla

e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879

AgentTesla

ff0b6df1ebbe0c832da7869563f4ffd729fdc190e620347ac93b5d2cf31896ae

AgentTesla

+ 10'592 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-pahzvxqc5n/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/12555/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample