MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c91e8129cb25677b01b171c95df30e2d7500eb40f2c375b70aa0463564b385c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Intelligence 2 File information 3 Yara 3 Comments

SHA256 hash: c91e8129cb25677b01b171c95df30e2d7500eb40f2c375b70aa0463564b385c5
SHA3-384 hash: 53b33156ab44b295c0ea6cdc878d36598ab8769bb5747839f72383167f847f95578e7b47de585c1f94d1140a3b4ed121
SHA1 hash: 3347f073c4ad2fa6b1e8d67dab4e0b620421862f
MD5 hash: 7bd2515a0f9ebde930e27c0bf06e131c
humanhash: mississippi-maryland-crazy-foxtrot
File name:Scan copy 06-30,pdf.exe
Download: download sample
Signature AgentTesla
File size:668'160 bytes
First seen:2020-06-30 17:39:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:XwyyrFwlrQeiWSmPZDFTEM9RlZy9Dohgtef4wLqVABh8rMchs04:XKrFG8eigBTLhgPVAH8FhK
TLSH 46E4F83A7EC5E504C53C1A3284EA59D273B1B4872B23CB0F6ECA575C5E0379B3E1625A
Reporter @abuse_ch
Tags:AgentTesla exe

Malspam distributing AgentTesla:

Sending IP:
From: Ms. Sally <>
Subject: Problem with intermediary bank
Attachment: Scan copy 06-30,pdf.iso (contains "Scan copy 06-30,pdf.exe")

AgentTesla SMTP exfil server:


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 36
Origin country US US
CAPE Sandbox Detection:AgentTeslaV2
ClamAV Win.Malware.AgentTesla-7660762-0
CERT.PL MWDB Detection:agenttesla
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 17:41:04 UTC
AV detection:24 of 31 (77.42%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:agenttesla
Tags:spyware keylogger trojan stealer family:agenttesla
VirusTotal:Virustotal results 26.03%

Yara Signatures

Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Rule name:win_agent_tesla_w1
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.



Executable exe c91e8129cb25677b01b171c95df30e2d7500eb40f2c375b70aa0463564b385c5

(this sample)

Dropped by
MD5 6925bf107380e4e8553a3b2d2aad8612
Delivery method
Distributed via e-mail attachment