MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfd87dd98a08682e2f4f9001e698081dba3ef2c2d6b565d7e4c3cd4aae56fc80. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfd87dd98a08682e2f4f9001e698081dba3ef2c2d6b565d7e4c3cd4aae56fc80
SHA3-384 hash: 16564ece2c343dc46165e7c51d80dc1a3b910a9c2f5f62ab2fe8de52b258132dab8b8154fdb390a5d742e8e7ae5eb1cd
SHA1 hash: 1d647ba79d8dd25e432cde1d8a03a5ea4a97101d
MD5 hash: f307f09dd18bf263b3bd836a32fc5f05
humanhash: island-nevada-ink-ceiling
File name:newlee.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:634'368 bytes
First seen:2020-08-07 09:31:13 UTC
Last seen:2020-08-07 12:48:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:y97lHE19O2ffatmNCK60GRvWyfeinOIgrpiATpVh0kZ:y97lkrFXaskXjvW6UQAykZ
Threatray 5'521 similar samples on MalwareBazaar
TLSH A1D4CF58369CB74EC0EA4E75496CFC3096317C265A27C30765C72E5B792EBCA8A017E3
Reporter JAMESWT_WT
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/41566/
Detection(s):
SecuriteInfo.com.Generic.mg.f307f09dd18bf263.7435.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/414957
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfd87dd98a08682e2f4f9001e698081dba3ef2c2d6b565d7e4c3cd4aae56fc80/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-07 09:31:25 UTC
File Type:
PE (.Net Exe)
Extracted files:
28
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=37mh3wmkbbuc4l2psaa6ngaidw5d54wc222wlv7eypguvlsw7saa._file
Verdict:
malicious
Similar samples:
28a945b0afb49fe99da8a39746a00b93c1a2c0d5b8735e11d8617bd696b2f199
AgentTesla
91e478af0d259a398a1f018da401190e09bb38ee5c15647f4c97a35c43d9800c
AgentTesla
a76f8165dac2ed0f2c8c3543fb7242c968d941e98b7401da8fcb939123c701bc
AgentTesla
a78982f275b83bfca636dca08c404c5952fbf86cba13813fb6d5e2f12ff60986
AgentTesla
d31acaa8a96c58cbb1b8863d04dbbb7e2e0745957ee109d6045a216fa1dcbace
AgentTesla
dc2435622376b023e99e165f3615fcfdb35b8ed157af0ac2fcd3cdf8242592d8
AgentTesla
dfb621588ae460ad55e4c5df59560023c7a87327c85f23b6fb9ee322c6488eec
AgentTesla
fa473a9f7280e22e757799c9d18a21bded2f5500a47063e926105db33e77b4f8
AgentTesla
fa58dde15dbe98f52408204285e10555cc14cf15698804a7aabb92c218ef6d44
AgentTesla
fc93e1dd000a589799d43e1f3ad70aa716a67f1be15512a6eaf6f0490828114a
AgentTesla
+ 5'511 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200807-tclwmk8ewn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/dfd87dd98a08682e2f4f9001e698081dba3ef2c2d6b565d7e4c3cd4aae56fc80

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe dfd87dd98a08682e2f4f9001e698081dba3ef2c2d6b565d7e4c3cd4aae56fc80

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/41566/
  
URLhaus
https://urlhaus.abuse.ch/url/427091/
  
Delivery method
Distributed via web download

Comments