MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e658e882e9edcae046e5229fbf61c435264f57f9a8af9b2cb5fe4419ea4cdb1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e658e882e9edcae046e5229fbf61c435264f57f9a8af9b2cb5fe4419ea4cdb1c
SHA3-384 hash: 52c80d06a3459615c2dbc527a6219adce671a327572ecfc1443680adead7034bd8f33b8914a4e0d3c6b765a7519cbadd
SHA1 hash: 0b0086a04e914996e5b4bae742f8372cf481a302
MD5 hash: f85730c10ff56e1382a768aca349bc5f
humanhash: wyoming-delaware-lemon-lemon
File name:Scan - Swift MT103 document 24.06.2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:460'288 bytes
First seen:2020-06-24 05:40:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:7J8W/4uUCRWcUZ9hb/RsF19dJJXHNMfwAn:CY4gWcUZz/R019xN8
Threatray 10'641 similar samples on MalwareBazaar
TLSH FEA4021A779CF92BC57D26FA88D55B0893B30A9A7292F3EA6CC074D614C33F605216C7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: petrit.best
Sending IP: 104.129.0.123
From: Halen Rodda <info@biomaxgreen.com>
Subject: swift copy of payment made on 24/06/2020
Attachment: Scan - Swift MT103 document 24.06.2020.xz (contains "Scan - Swift MT103 document 24.06.2020.exe")

AgentTesla SMTP exfil server:
mail.daiphatfood.com.vn:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13416/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e658e882e9edcae046e5229fbf61c435264f57f9a8af9b2cb5fe4419ea4cdb1c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 00:47:36 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4zmoraxj5xfoarxfekp36yoegute6v7zvcxzwlfv7zcbt2sm3moa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17a6ef291331acb9fc408450a61d0aabd3db01fcea33592c32c6d955f7d35d19
AgentTesla
190f171b8701970bf91d4369573c70132fa3b8e499c33b8af09d7c9808ec8a32
AgentTesla
367e5e97153f85008f89e575fc7e5b871eccc671b8247acb92e89a128204ab41
AgentTesla
54d05b40cd778ff8328576a776c5f28c5bf6db2c15bd6ccb4dce17a27336d55d
AgentTesla
85381937986fd4a23e7d01e56f02a097dc2cfa7967f1aeb2f2d8708206951e34
AgentTesla
a2e1197998978fb090b0cbdeb9365d22730330c30b9bf53f6b6e0cfe42da856a
AgentTesla
cb037c1db10c1211bf9ae9b2bedffefffc20a3ba95295efd69f2f270c8afed30
AgentTesla
d12fda0c8cf02474c474c6cbeba40591ba336a7fdf8d3f164493e5f6200f77ca
AgentTesla
d326b6a6acf6d99f5908f7da9aa2d55b88bd1df972b019a0b276d811dfcdc01b
AgentTesla
ff28ee9468d1e2d7a55d7d1d619415f78866bc8d4ba179f9215a7145bccea044
AgentTesla
+ 10'631 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-p3l5ese5vx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

xz 2257bf274c03e273d2a60a7f93d008ede8bcaf7e0295c598c6270ab849e47d50

AgentTesla

Executable exe e658e882e9edcae046e5229fbf61c435264f57f9a8af9b2cb5fe4419ea4cdb1c

(this sample)

  
Dropped by
MD5 e2687c497ac7ba0edb5564fd09b3910d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13416/
  
Dropped by
SHA256 2257bf274c03e273d2a60a7f93d008ede8bcaf7e0295c598c6270ab849e47d50

Comments