MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d63ecbdde4826682339433f43e0cbdfcea27166df3be281c627edac8b30eb161. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	d63ecbdde4826682339433f43e0cbdfcea27166df3be281c627edac8b30eb161
SHA3-384 hash:	6d29c56c550b6e213b22abb359124a17cf1d648b3143adc66ec26a423b6cdd99d44fadd5cde90f33922041f4ac2f992f
SHA1 hash:	3dac82eb7cca29114bef583f7b22118a58e62829
MD5 hash:	4c3cbc5431336bacd311c36645aba9a0
humanhash:	london-beer-south-india
File name:	Purchase Order.xlsx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	425'472 bytes
First seen:	2020-06-25 18:22:17 UTC
Last seen:	2020-06-25 18:52:32 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:GZvReAKAD1Qd7fA+hXgYhBUTOtuewqlXPXwM:GZvRe8QlJV9BUTAu34PX
Threatray	10'704 similar samples on MalwareBazaar
TLSH	5894DF41235C8617DDBA47F9F4602256133BB205A492E3580FCE61EE3D6BB878B636D3
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/14514/

Detection(s):

SecuriteInfo.com.Generic.mg.4c3cbc5431336bac.23072.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/d63ecbdde4826682339433f43e0cbdfcea27166df3be281c627edac8b30eb161/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-06-25 18:21:11 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2y7mxxpeqjtiem4ugp2d4df57tvcoftn6o7cqhdcp3nmrmyowfqq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b176bd6e930704b7825d1e4010b3ef70fe135c0a5f457b56c6652df0ec10350

AgentTesla

4f7cbe28e76cbbcd0b554381e0dddc42d29f7ef59716101825addb74a10011fe

AgentTesla

68859b39bf8e3c300407069ca7a4b0928fe552a54b55f57cadbe9184d4e23bdd

AgentTesla

6b0901dc018ef4c90bc7b0dde5278b696a579a818a9ee5cbddb271eecca1b6fc

AgentTesla

8dd103e61c00d73a45a6f3ada98377db7279e0421a1319bac86b78a081c39d4d

AgentTesla

b4d253fd7bee0ac5be341956d6dcce635957111e207bfee5af0fa9067b066bcb

AgentTesla

b8d388272c192d0a4e73fc27d276da94a582cf48328f8884f1e0613170010b5d

AgentTesla

df5986fcb5b6e473947583262fe71a48b644b13c42a2a57cbff970905baf2001

AgentTesla

e11539733ba2b2a3e51e5c03f171566c58900d2b5e41118c6a495d7dbacb2f56

AgentTesla

+ 10'694 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200625-t3x74w5afs/

Behaviour

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Drops file in Drivers directory

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/14514/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample