MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d5414c39cce4d671db2abfc5879a2a2e97a60313070d37c359b01b50f201aed2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d5414c39cce4d671db2abfc5879a2a2e97a60313070d37c359b01b50f201aed2
SHA3-384 hash: 2612d14502a5f938a5cab5e022cc33826d2a1ed9998e75aba1f96dca50cff8a9ad49a6c99d133bd02f9268ef026bd1dd
SHA1 hash: 419b16277e612d1367f954bb4674d91cfbf4fea8
MD5 hash: 1408f36656fc33e202b9c94a1a1e834f
humanhash: jupiter-montana-three-crazy
File name:invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:445'440 bytes
First seen:2020-05-05 07:04:48 UTC
Last seen:2020-05-05 08:10:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:KJDrhcWWVoi9nbAvEsXm/qsFTCDsa0HHXmN:sfsd9bAMomjUlUq
Threatray 10'774 similar samples on MalwareBazaar
TLSH D9942381311DC62BCEB4C5319412BF081F346FB6F853DA8FD6D486A79A437C268579E2
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns2.ugotmail.net
Sending IP: 91.84.158.163
From: Mrs. Melek AKBAS <melek@alkin.com.tr>
Reply-To: info@marmarayem.com.tr
Subject: Proforma Invoice
Attachment: invoice 1.zip (contains "invoice.exe")

AgentTesla SMTP exfil server:
smtp.ionos.es:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.10282.25399.14214.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 07:35:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vauyoom4tlhdwzkx7cypgrkf2l2mayta4gtpq2zwanvb4qbv3ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10b2155331d3b0c7934808e52084c3911f82ece51f39836e3ef0e8db39ee9904
AgentTesla
188937c949c23138157a707a06cca97dda5f3adc3b6f98bd07088a321d5220a5
AgentTesla
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
5982c804cb3b2c334a54049f3883256169b7e406c2ec275cf3752119110e6382
AgentTesla
7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953
AgentTesla
9622729f9517d5a5eecd4a278ea564d750b17e300337a0f0e023c986bf0e537d
AgentTesla
9eb1f39ae32ed2c3289f148c0182ef2f8916fe7283400fcffd262798c08ded91
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4
AgentTesla
faa14b162487c010a973901cb7a91e48c512b0193fd449be475f94c32b0ff212
AgentTesla
+ 10'764 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-eg1mf3mtba/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Drops file in Drivers directory
ServiceHost packer
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0ec65850335ec681a3eeff1a5aaa05485fa5997bbe3c669eb1bda9100bb3d67b

AgentTesla

Executable exe d5414c39cce4d671db2abfc5879a2a2e97a60313070d37c359b01b50f201aed2

(this sample)

  
Dropped by
MD5 027154360c373f7f09bc0d4fe6605340
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0ec65850335ec681a3eeff1a5aaa05485fa5997bbe3c669eb1bda9100bb3d67b

Comments