MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c156b208c8ec14bcdc873531c5efac6d74ad452ebc42368a10838383ab49c5fb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c156b208c8ec14bcdc873531c5efac6d74ad452ebc42368a10838383ab49c5fb
SHA3-384 hash: 4af88e466d097238078099c493d7128dadbc0b73b1b9aa3796290d9a7d37b641e91588f7b471625ca72491171b306030
SHA1 hash: 90909e07e3e1a272f2c76e8d60841ade7460732e
MD5 hash: 69f7b2f6367005166610df3a79fe816a
humanhash: october-purple-virginia-freddie
File name:69f7b2f6367005166610df3a79fe816a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:980'480 bytes
First seen:2020-06-17 06:01:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4c5930d78fbf43bb1310362850cf7589 (10 x AgentTesla, 5 x Loki, 1 x Pony)
ssdeep 12288:Pvb7RSh1zZ+S6rGb2sqdM89yYNQoX5+cQhSkcx+vhiyiKNA0qSL66jQ2TelZ9h:XHRSh19IxsqFRG3vtiAA0qSL6OWF
Threatray 11'057 similar samples on MalwareBazaar
TLSH B0259D2AE3914433F573EA389D7B5777593ABE102D3C98462BE58C8D4F3928178352A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
almashosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19109/
Detection(s):
SecuriteInfo.com.Adware.Generic4.BBFB.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Infostealer.Chisburg
Create hunting rule
Status:
Malicious
First seen:
2020-06-17 06:03:09 UTC
AV detection:
40 of 48 (83.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yfllecgi5qklzxehguy4l35mnv2k2rjoxrbdncqqqobyhk2jyx5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
097a63aa1a0f265f5ae61c25a5bf1c33f6d376969efea2e5beea2a33d20cf169
AgentTesla
312ca2779ca2502a35fa0de2215e9ada5965a55896842f0c7d6742b8989d50f3
AgentTesla
48712d577e05014edb911b241b47d008fff6907920e41146f7c9a66a1f8ff52a
AgentTesla
6c23d5aac98c05cf9faca072f1875f7fcde253a4a782dda7d897681bda6f92d9
AgentTesla
890be95e80abe228a943aad583f5463da9b56f6191c0672fe3bacbbc2b67402b
AgentTesla
abf166f61b004ea709bfdb2460b963805e5bef4773beecec293134a7fc14a6d6
AgentTesla
acea43435c7dedb7b910e538aa72997d038b8b45112b58ae219c056ddda851af
AgentTesla
c6e26d183274fdfc63535e49ede53c4e7894de05f0054341bb031598186f138c
AgentTesla
ca0b556ff44259aacea1061aec8f026cca87dd2f8e786349ce312cbc4f8690db
AgentTesla
cc764009f2970de6acb84a66e9a21b4d854d92aeee5364ffe513bdcb542bdd7e
AgentTesla
+ 11'047 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-gbb93bpnas/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c156b208c8ec14bcdc873531c5efac6d74ad452ebc42368a10838383ab49c5fb

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/387431/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19109/

Comments