MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d8df9c022a03d7da5ca463e2cc64eac786733a6970635e2e131b7763af1d1984. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d8df9c022a03d7da5ca463e2cc64eac786733a6970635e2e131b7763af1d1984
SHA3-384 hash: 9dd710d638955f1fe064aa967c95d865727a4cdcd279c08fc043d8e6b713ac0ead012ba6232a10b106cfd4c206ddd946
SHA1 hash: 5514cf32a4dcad7f9540098c427829ada0bf359d
MD5 hash: ee081f9bcf345497363d1a71d7f0ebc9
humanhash: rugby-yankee-sierra-diet
File name:Inquiry3774664CK_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:477'696 bytes
First seen:2020-05-06 16:38:10 UTC
Last seen:2020-05-06 18:04:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:VQpkUvtmXQ3xVVAc0hO72AUwLsD+LnFerttW9d3GS:RUcXQnVA9O72ASD+royd3GS
Threatray 42 similar samples on MalwareBazaar
TLSH 6BA4BE066A98CE14EAAB573649CD662593FD84431773DF6F0E6C06A668C33C41F233AD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: [209.58.149.66]
Sending IP: 209.58.149.66
From: Jijo Joseph <sumant.k@indiaelec.com.sg>
Subject: April Quotation Request (RFQ)
Attachment: Inquiry3774664CK_PDF.gz (contains "Inquiry3774664CK_PDF.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.KillProc2.10319.8471.29278.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 23:04:00 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3dpzyarkapl5uxfemprmyzhky6dhgotjobrv4lqtdn3whly5dgca._file
Verdict:
unknown
Similar samples:
2191855267443ca89d1a1e52773e5123b563d71d50613cbd8ec253c9cc2b95ca
AgentTesla
2eaf25d2c99eb49743060031a22428bb7c8e78a99869638cfe43b977dda57f22
AgentTesla
3e3ab416abadd9093b15f9dcce92f3530709aba8addff16a74e89bd3a7bfd8fd
AgentTesla
41eef1a870eaea8573585611d3fd3b9f0fb30ed20ffe94e7082b8925b12c329d
AgentTesla
4877df324375a116062963d9905fe55952f405b0837b6f517cea9fd040932b84
AgentTesla
799e7b4209f8eaba177033adfeede982f04fc78671aa15d64e57d82b9040a92b
AgentTesla
a90e37c7de58a0fc3d94a5450340daf5b37da566125c3f8ec21bb3d66a457226
AgentTesla
bc742c33c446a25e6482c4209436088415d5c89a7f8ab66f37f16006d62344ac
AgentTesla
c9783969d5474b7035fab8eb6acfedd475ec7297cd8042f5a188b21c48b9491a
AgentTesla
f32e731527a2a3fa24a75c8732c2e236dfb6dd4f09c50add479d6cf9e018d34c
AgentTesla
+ 32 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-e377rh9sh2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 529e662c5fb257e985fd1fcb797e4e2e098f0c6f00a40e1006a1921ab8a12994

AgentTesla

Executable exe d8df9c022a03d7da5ca463e2cc64eac786733a6970635e2e131b7763af1d1984

(this sample)

  
Dropped by
MD5 9e50ded2cd8ba9f48ccc886121218e0a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 529e662c5fb257e985fd1fcb797e4e2e098f0c6f00a40e1006a1921ab8a12994

Comments