MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4a2f0fc57afb3f08bc128e0653b8c8d82651cf292687a89e9b7cad50b801376. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4a2f0fc57afb3f08bc128e0653b8c8d82651cf292687a89e9b7cad50b801376
SHA3-384 hash: b5e1f933521864c4929957abf5873778268d2d0777a271438318b054b8fa0e22cee9f090abf104b1d7364e4477b3f908
SHA1 hash: 527767271dae2c4b75b0d215406b37cc0a73770b
MD5 hash: 64de41cb17473ccee7ed0f6605a49014
humanhash: washington-texas-ack-pip
File name:Pallex ITALY_74648 PO.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:513'024 bytes
First seen:2020-06-02 08:37:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:lqGteq6yjw534dcb0PKfFNMynWJTbIYQeqFVLo68yN9wMA:lqGUhyjw53oPKtaTbIVv
Threatray 10'871 similar samples on MalwareBazaar
TLSH CEB4F1897254B2EFC867D4B2EEA95C78EA5074BE431B8213942325EEDD4C947CF244F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zimbra207.megavelocity.net
Sending IP: 192.206.6.182
From: Alejandro-Pallex ITALY <sandeep.kumar@budget1.in>
Reply-To: Alejandro-Pallex ITALY <pallex@italymail.com>
Subject: Re: inquiry - PO QX 3746_ITALY..
Attachment: Pallex ITALY_74648 PO.doc.rar (contains "Pallex ITALY_74648 PO.doc.exe")

AgentTesla SMTP exfil server:
premium57.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 09:36:20 UTC
AV detection:
26 of 48 (54.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4srpb7cxv6z7bc6bfdqgko4mrwbgkhhssjuhvcpjw7fnkc4acn3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
5647bcd7cf243ba17f489f227328f219f77c778c9a99474e358352275b552e66
AgentTesla
755757fe45ca7ec3347803cad3da8e3d964c330f4649e014b22d6851c7acc5ef
AgentTesla
875ffba606e3244a1644cd39e50e7eb9ee7d9d93f99bc56019b52fcada9b95a5
AgentTesla
9adde697bc903a7d76a736935a851f916bb6ef5d1e4e6d89dc023c1f21d43791
AgentTesla
a452cdb62ce6e25a0202e638112c3837fcd9fc7eb9b8d21b49fac3da79d2e27a
AgentTesla
abe4c6ba6e3908ab7f17071d3773a814a3c833c6e85abb44580820f12e07c395
AgentTesla
b03b486f2ea79250fce879d662f2256839349e2df4d59ed964eb493ecb6b9494
AgentTesla
b6a58bc3f41e4914190b15761baca60507bc4763dd6305c499c52f95ea042727
AgentTesla
d8870692e7257159505b1805f3be306591ddfb635063973b1caedb236d96547c
AgentTesla
feccccd454c175c67dc7c4c0f291bf467b34355bfb9901a0a9582a448c16dc52
AgentTesla
+ 10'861 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-d75766xzwa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 19c7a872bb1f647c7460ffee9eef38fe244d6e83301324890aa8b17b1fd1aa46

AgentTesla

Executable exe e4a2f0fc57afb3f08bc128e0653b8c8d82651cf292687a89e9b7cad50b801376

(this sample)

  
Dropped by
MD5 9bd5fa08ed4d7a9e7d87efdc30e8476f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 19c7a872bb1f647c7460ffee9eef38fe244d6e83301324890aa8b17b1fd1aa46

Comments