MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d18f2326e0bed235a2f86b15d3c2a20a4d845ba37e1252d2801c6cc6dcff0352. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d18f2326e0bed235a2f86b15d3c2a20a4d845ba37e1252d2801c6cc6dcff0352
SHA3-384 hash: 3a9513b895b6169798793257d8adacf29a64bfcebadbc08c01b44776e579c56dbcd75db0f2de9d6f9b6e41bed5e239eb
SHA1 hash: bd548a91b3f53ea53019ff49f9e718cde97f64b2
MD5 hash: 21a94ba3691581c1c0860985c0050c56
humanhash: twelve-nitrogen-texas-fillet
File name:21a94ba3691581c1c0860985c0050c56.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:307'200 bytes
First seen:2020-05-14 05:51:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:G5JSRknhCo/SLcgVERLUPHv0loKccQudbNwonb:G5JADVEhYvGeZul
Threatray 10'552 similar samples on MalwareBazaar
TLSH 7064297DBB48B902F23D4D7291E1522012F1E0435E12D34F6EC86BEDBE5D7C9294A3A6
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 20:39:36 UTC
File Type:
PE (.Net Exe)
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2ghsgjxax3jdlixynmk5hqvcbjgyiw5dpyjffuuadrwmnxh7anja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065bc29beee579f4df10691c61b9d3bc38ac4c271da4eb2e1ccfce7a2e33dd93
AgentTesla
34fc29ec3e0cf03857148f125024141af690ef27e224fc0cd5aa9a45aae7e1f4
AgentTesla
5fb13ec9aec5b17f482da9aa1b4843d58721d0c99090e9f6cb3a88940666cc61
AgentTesla
61d161078b5df18b4f242f0e01e2c1bbaa565c824fd5bba7a7c83d748d27afea
AgentTesla
93d94861c9feb7b9fca386254d8ab5637cf78e4145527753fdafe7346d28fbe3
AgentTesla
9a13981eb4fb532d207c90f4f5689d9ad4d9af29e2ddf7030d78c513330c4dbe
AgentTesla
9af31d18ef5af8d20ed75f9cc76185d119990e2adea7748c16562359a1dc3d5d
AgentTesla
ade559fead2fb46603d4e1ee25ba703f093107ad8ac2a643ffd7bb7614459205
AgentTesla
e127a69284fb0dfa24cf49db889e6666e8efd039173a5b6f70b1ded73d66f041
AgentTesla
f1c58bc5387daaca15abc7de2e134f79d9e6371474025be61d9300fbf6b8fc32
AgentTesla
+ 10'542 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-73qmw6rvxj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe d18f2326e0bed235a2f86b15d3c2a20a4d845ba37e1252d2801c6cc6dcff0352

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/362254/
  
Delivery method
Distributed via web download

Comments