MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d928fd149fa3f096123739582e7ae39d5c979f65c5fd9f475a36a7a12c6f67c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d928fd149fa3f096123739582e7ae39d5c979f65c5fd9f475a36a7a12c6f67c8
SHA3-384 hash: 1f59e73ea91a967f0dea5e056c4e52f1d0b8cb0e91a0dc5699e50422c9ebab3aa54e9ef72e370212dbd00b474606cabc
SHA1 hash: b074d401097127831afd15d4ada88e8c5a017ec1
MD5 hash: ed42e1915b0e196df16b8bdd98abb909
humanhash: fanta-jupiter-speaker-massachusetts
File name:Mariu.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:219'136 bytes
First seen:2020-10-22 08:06:46 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 3072:W9WFBnTzzr2FoCjcUyqcxUg7ikew9++rRQgUjNhP1Nc7aPuLmkC8MgzatHOOCV:W8Eo3UbkU1mdURTKCuLg8McGHO
Threatray 723 similar samples on MalwareBazaar
TLSH 252439166714D521CB6F417FC01AC20831F1D703A72AD68F5AA6D8FA1F811CEFA2B9E5
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: m30.nskorea.com
Sending IP: 110.45.231.30
From: Rick Dicianni<r.diciani@idscorporations.com>
Reply-To: <r.dicianni@idscorporations.com>
Subject: Your catalogue.
Attachment: Samples.img (contains "Mariu.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d928fd149fa3f096123739582e7ae39d5c979f65c5fd9f475a36a7a12c6f67c8/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 07:44:42 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3eup2fe7upyjmerxhfmc46xdtvojph3fyx6z6r22g2t2cldpm7ea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18fd02253bd3e3458ae988dc884567ac238606beeb1095c9c849ee58becc48f7
AgentTesla
3e85f299521db50b9f3e2004b0e07f2f9dbf8ea0d26460fa4782a73f6007e002
AgentTesla
44de8368a07efe44888bfe4b83a307c6002a0c4202a02150d884248c8b8ae75d
AgentTesla
57f9de709f4ec55a5dc4cc77a99997b4c5617e769b2e68e301645b7913d6891a
AgentTesla
5967386e3a83cb9e0066223388892aade38751662b856048184c262239411aae
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
764c115297d49fb85541c3cc22d8434745ed160094221ef22bfc513398d2ace6
AgentTesla
81a408670b2a419c4383f47f1bdc1bf040e8070e8f4eaa734173478a6ee2347c
AgentTesla
955b975ba713a4027be44b9b6b35b0cebe27439c71d09309992a89b6185cf4d5
AgentTesla
bf993f6195527053ecdbb6c83a6ddd94528d867b26e04cdebbbcb6f3bfd813c8
AgentTesla
+ 713 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201022-7b5d9gq87e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
d928fd149fa3f096123739582e7ae39d5c979f65c5fd9f475a36a7a12c6f67c8
MD5 hash:
ed42e1915b0e196df16b8bdd98abb909
SHA1 hash:
b074d401097127831afd15d4ada88e8c5a017ec1
Link:
https://www.unpac.me/results/c08aa2f5-a711-47b1-9d22-c5a85e282b90/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 367c6db9d5a5d672e5c7fd6560749eff166bda85e742fae45efabfbc42d59026

AgentTesla

Executable exe d928fd149fa3f096123739582e7ae39d5c979f65c5fd9f475a36a7a12c6f67c8

(this sample)

  
Dropped by
MD5 0f43430c829ecdf08fb38e944fb9beb9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 367c6db9d5a5d672e5c7fd6560749eff166bda85e742fae45efabfbc42d59026

Comments