MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb6ff72c412db950180fbb04fae1919c36c6d8695c3167e2d11853ade00baeb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb6ff72c412db950180fbb04fae1919c36c6d8695c3167e2d11853ade00baeb8
SHA3-384 hash: dbea188af4bd049d4ef95fcba5ff0a3eca9479962cca0ee52e43f0af00ae09f8a170cd7f998d4e646b13dfe29a10d0f0
SHA1 hash: 3678b84268a94629b5d2bf26af25c0e47f9bdba2
MD5 hash: e2c7e32579622a1d6ffb686a53446ac4
humanhash: mike-sad-oven-skylark
File name:e2c7e32579622a1d6ffb686a53446ac4.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:689'664 bytes
First seen:2020-05-28 12:41:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f77bfe3e05f3c4bddfed9f7ac7a0d9db (5 x AgentTesla, 3 x Loki, 2 x NanoCore)
ssdeep 12288:rYs1kF2Ax/GKnqnXMfbxes9ZnBVgN+m0J+XWge9Rpec9dzbFA04Vq61j:rYgCy0qkH7zIiJ+XWgMoc7FtWp
Threatray 11'668 similar samples on MalwareBazaar
TLSH BBE4BF26F2D04833D16326FD8C1B97589D2ABE503E24597E2FE91D4C9F3B68139262C7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.sherwjn.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

Win.Malware.Nanocore-7846726-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.Trojan.jc.17719.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 14:28:39 UTC
File Type:
PE (Exe)
Extracted files:
263
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2f7909f2f9c886007630cef749f408d4d7be271182dadf6bb0ff6924ad65703f
AgentTesla
4224ad915442d3db1c1c6e77ae9c689fcf2db123aa1f9c1582472888acff9682
AgentTesla
5a90f8100f8580ed07829478230ae096c5dc561211fdedaebb5e97c863b54f3e
AgentTesla
7ec1de8610f3d1d4c6c08bb7edea979c10be260d9bdd02909e67cbdb1d44a5c3
AgentTesla
84dd1269da11147a6310526bca76c2454d7cba5755051371f9cf61d1c96c1f78
AgentTesla
91460c91d05256b76b68f3f1167e085e9a1f7dfcbe6bb2e89eeca610d7cb0d83
AgentTesla
a6a8453fdeb8267c6b076ac3bbf7c055399b7d11cfbc1247f745c09a62a94aae
AgentTesla
aeaaaa17804d2291dac3609fcd80d7f3859d2d8a1fa01551174706430699211c
AgentTesla
cbc12ed4a873958d24ba120ff4ad0b390070a1f9caa56c60646f2f4482d41e22
AgentTesla
d832b9d26b8e022fb064d68edfcdc6e33a464fdd854f03c58d0e25b5ed9015ed
AgentTesla
+ 11'658 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-2stc9w2t56/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bb6ff72c412db950180fbb04fae1919c36c6d8695c3167e2d11853ade00baeb8

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/371019/
  
Delivery method
Distributed via web download

Comments