MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 de73630f859a6dba52453a892617a307e558db924476b484b5b8c4f1407e7e35. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: de73630f859a6dba52453a892617a307e558db924476b484b5b8c4f1407e7e35
SHA3-384 hash: 5d81795c88c9e8f8814c2905b155164afa983cbc7661d1e52bb288d0abf88556efdc092af694a2764a8a5b9fd68a99bc
SHA1 hash: a36aa877b25bd518335aa9bdc446a569828c6c91
MD5 hash: 310c5f40b52d64f8b2cd4ee4b94fe8af
humanhash: arkansas-delaware-winner-fourteen
File name:PRICE LIST AND PO 00121110.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'817'088 bytes
First seen:2020-05-04 21:11:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:0tb20pkaCqT5TBWgNQ7aoSLMdcsGZcw0I6XqKV/L3EhzXm1EMqda6ecoV6A:dVg5tQ7aoSLMdcnZcZ6U/L0ZmOzw5
Threatray 10'899 similar samples on MalwareBazaar
TLSH B285F02373DE8364C3B25173BA5A77416EBB782506A1F4EB2FD80D3CE920121565E6B3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sonic313-42.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.133.216
From: Maria Bianchi <s.moses56@yahoo.com>
Reply-To: Maria Bianchi <s.moses56@yahoo.com>
Subject: Fw: RFQ FOR QUOTATION [UPDATED PRICELIST]
Attachment: PRICE LIST AND PO 00121110.lzh (contains "PRICE LIST AND PO 00121110.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

Sanesecurity.Malware.27684.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Bsymem
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 00:15:50 UTC
File Type:
PE (Exe)
Extracted files:
11
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3zzwgd4ftjw3uusfhkesmf5da7svrw4sir3ljbfvxdcpcqd6py2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d65f520dcf085dd382b99c7869b4516a0a75a0ba038f924af2f9e6fb87dc7d1
AgentTesla
370fce30fb19905514c9e42d8cf687b95552261d2d5d47be8b273eca41cfb66f
AgentTesla
4bc494204a6950d07cdbc7181b7b9588d037d7118e31fb41f0156c2b44423e34
AgentTesla
61a1e5d143ee0c8d5929ac7386b60fa13baf8e43745f644aebc970e267b6f67a
AgentTesla
897404cc2ca210c686471117bddcbc78d540347f78e008501e2956085174a104
AgentTesla
97710735b12579f3c2b4fb0309242bee212b7f2cd6182fd8e494bcaf5dd42d57
AgentTesla
b9464d27c038d3f5cdd28f88083396b4e29a7fa78cdb384b572f3f13c3fd5a3c
AgentTesla
c2d6a58ae4cc93b225f512a127c751c63398d0fdb7f847b77c83cad6cb79e6bd
AgentTesla
c796d41449235b098b526b28883099b4dac087593d8068396e2c05b28c74a773
AgentTesla
eeedd8acd669d7cc4e53352eb876727052e7c8022520854742903d7e3192cf57
AgentTesla
+ 10'889 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-y1zwn5cwv6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 5b7a2023c43bdac9adccb7f6c08edf195cec2a784834397c672d2621c91d0468

AgentTesla

Executable exe de73630f859a6dba52453a892617a307e558db924476b484b5b8c4f1407e7e35

(this sample)

  
Dropped by
MD5 0c4a1fb3b569b831b979ac3fbc43d37f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5b7a2023c43bdac9adccb7f6c08edf195cec2a784834397c672d2621c91d0468

Comments