MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88
SHA3-384 hash: 2d92bcfaea2aafa9d89ae016342f4a438a8ea6c99cdd06c361bf2bd095207b4e705c7aa625f86c4eba3493054676a8a7
SHA1 hash: 80ccfcbb63dc194ddf3762aaff2b8c8a6b49fc94
MD5 hash: e9232ce72a3cf88a3d1442248275c797
humanhash: triple-purple-red-leopard
File name:e9232ce72a3cf88a3d1442248275c797.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'000'960 bytes
First seen:2020-05-31 06:33:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:/WtX8XhiZLJLUf9snBS4csPYae6qfzCGVkNLvuvd/XyhTycoCQA09g:/WLhhUF54clNf7CokNLQyhFoCReg
Threatray 39 similar samples on MalwareBazaar
TLSH 3B25D01433EC4B56E2EF5BB5E4B25191C3B1F5626A2EDB8F5D8061FE2D133808911BA3
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.SatoshiBypass-6853426-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Coinstealer
Create hunting rule
Status:
Malicious
First seen:
2020-05-31 13:03:35 UTC
AV detection:
21 of 31 (67.74%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
4aebd2918942c4d01076cd9cb47402c5b8c61e14e86a397488d1abc2e444d626
AgentTesla
555f84812f700d1448fd200f04200ae9d17413652be94c54ba442fccdf9104dc
AgentTesla
642ecc0813761138cff276fdece24e479604dbc7c012a2a168d018330e1905e5
AgentTesla
701e2cddd4d1628c01c3ce13a20b5414726995565377e6ddc3133d1245a88cb4
AgentTesla
87ff4257e145cb109c3a91260b9412e0bf13ab481ee0d2e592254f8dd77db458
AgentTesla
aa0ef170fbdf28b626cafc71c401ce5e5b151efca751e1301ab1d68ddc6af5ad
AgentTesla
b5a2e0292c56936942684b8d35ac837330a72a61ba6ecba4206c788dd23092ab
AgentTesla
c4a2c8397cfa4f7f16a317aad541b6c48e35c4420249f702b2c6f01faf66ef61
AgentTesla
c4e42ebfd487b325ece4f09d75687c96e252aa8559f8a8daad6336dc39ee5424
AgentTesla
d1eb54cb3aa9ba1fc585cf676c4a814b11786b962da1b1959768794d281084ab
AgentTesla
+ 29 additional samples on MalwareBazaar
Result
Malware family:
echelon
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:echelon discovery keylogger spyware stealer
Link:
https://tria.ge/reports/201109-wfcgcjek6n/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Looks up external IP address via web service
Checks installed software on the system
Deletes itself
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Echelon log file
ServiceHost packer
Echelon
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe c991fe8c6d840624fbf7b46c88514ff6324fea56997929b0a81d97b0f6eb7f88

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/372650/
  
Delivery method
Distributed via web download

Comments