MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e0b1475da71d2c099ae959dfe1d9406fe992efd535da154bf2e423e14e8376aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	e0b1475da71d2c099ae959dfe1d9406fe992efd535da154bf2e423e14e8376aa
SHA3-384 hash:	e0b19f16a0bdbae41c9df6168b2f99df72236479a06c686c3730cac4b350ceaa017428250de3e83a936adada988dc0d7
SHA1 hash:	4c011310c9ec635d60f25e7c954a6069fd6478c5
MD5 hash:	52de5bb665372f95e821aa4468f16aaa
humanhash:	steak-twelve-virginia-sierra
File name:	REQUEST FOR QUOTATION PR0061530_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	758'272 bytes
First seen:	2020-06-23 05:44:22 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:HoS6WaoqYyuBjdk2KSqWfpxi4ozT+4ZDBBWa21k8bRoEL4HnZTQJUJ+lDAAe8:dcoqYyxupNoz6oeKEUHZoU4dAAj
Threatray	10'678 similar samples on MalwareBazaar
TLSH	7DF419B67B40A825D13E4971447A96926673A14F2D02C70F39C9FF5DBE123CB3A0729B
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/12801/

Detection(s):

Win.Malware.AgentTesla-7660762-0

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e0b1475da71d2c099ae959dfe1d9406fe992efd535da154bf2e423e14e8376aa/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-22 21:58:41 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4cyuoxnhduwatgxjlhp6dwkan7uzf36vgxnbks7s4qr6ctudo2va._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

38a768da182507828cb8951cae8b8a6cb9399e07c7eec2b680277d3c2cbc2ce3

AgentTesla

561edd9f70bcb31e317b9af7c23b6fcf1af80a556a5837042154880296dd946a

AgentTesla

66a2878b55d41d3e576ec08bb0e28573de3af9dbbbd08567cc730198a490d021

AgentTesla

69e5a4941d5236dad068202444b9d7e6fa25944daef9f04e3eaf60ab77252ad6

AgentTesla

7be3a3d6b712edfa50d8d5a443b5bd7719d57c9be6b7d34ebe2e3e4a7815e062

AgentTesla

8e06f5c0b680e598a1063b921faa1568b00608fae457fedc04a53bc4637977ef

AgentTesla

98629c6d70b7985e3671dc4a824e2f4662dbcd85a787f5d0d546688922f41ffd

AgentTesla

a8c64168f72d3a7af27ae6dfff00da04467744c5bcc04f9292761359e5507cbf

AgentTesla

f1c58bc5387daaca15abc7de2e134f79d9e6371474025be61d9300fbf6b8fc32

AgentTesla

+ 10'668 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware persistence keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-zqpa1lbg9s/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Modifies service

Adds Run entry to start application

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Loads dropped DLL

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe e0b1475da71d2c099ae959dfe1d9406fe992efd535da154bf2e423e14e8376aa

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/12801/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample