MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c32b2c89d798742a6e6b3b54bef5dec58bd9f9e7a10cd106097943773d4f6179. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c32b2c89d798742a6e6b3b54bef5dec58bd9f9e7a10cd106097943773d4f6179
SHA3-384 hash: 0380da60e6af588a3f5ab8107012aa5f59c7d76d0735b1a26c4b75eeb3dc5c38204f51ccf5445d4c24cac18c856fefd9
SHA1 hash: 16c6fe0c480d57f3b666250fadce38b0244d88cf
MD5 hash: c31bad21a1a804039378e7a34ea30c5c
humanhash: helium-edward-early-cup
File name:c31bad21a1a804039378e7a34ea30c5c.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:288'256 bytes
First seen:2020-06-03 08:28:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:bhHdwOJIba9GMD159bNbqPrOTZ+3bZZQfQQEWHGgiwhdHihqtveTMqqgbEkux23t:bhHqOqba9LhbAwhFiAWUC/G2gog9X
Threatray 10'586 similar samples on MalwareBazaar
TLSH 795418AD6B88B902F73D0D3349D2566013F190874E12DB0F6FC45FED7A5A7CA294A386
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
server257.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Rdn
Create hunting rule
Status:
Malicious
First seen:
2020-06-03 02:19:40 UTC
AV detection:
28 of 31 (90.32%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ymvszcoxtb2cu3tlhnkl55o6ywf5t6phuegncbqjpfbxopkpmf4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c1c9a1447f9bda8eb996b3b977d78456b9d0fed5a2102e59205a614079cde69
AgentTesla
0cd0835a890fb2ec2f128c02e0e0c235e83cae1c643ed1ba7d5decec18834c73
AgentTesla
2099086de840687d633b7c1448c6b337ac982528dcd94ecf70a094f5df5a3ea7
AgentTesla
62005a4721dc55f0752df55ca79bd85ccb46ba28a34d10d8f29880e087b69896
AgentTesla
662fef8b4f1d3b467039e66b6c6c415583bca1cb49adf66dbf900d4c48f35db1
AgentTesla
69da44af465f16620592883dd3c8024fef0e6974f4994846d7a8d95c17350816
AgentTesla
715de4488b8f1a697672312f7a67c075c982d3a14cf2614dfb549b995dc34cbb
AgentTesla
d44ec72ea7ed650ad5ae4102ef8b60397673335a4471f2537cf6f5933cc8bf49
AgentTesla
f47cae95fdb8b43629d894b6d2b595b06e93e84f4f0bb2b0837703b6d2bde158
AgentTesla
fe13b5826a85afc204c9be0a3c8da5fb28844c5d7829413d23dd7e4229400bf4
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-py6tcp7a2s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c32b2c89d798742a6e6b3b54bef5dec58bd9f9e7a10cd106097943773d4f6179

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/375600/
  
Delivery method
Distributed via web download

Comments