MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ebaa784d9f8dd2aa4a65baab9ac9e636cd910ba8b94b076b66e2ac719df4e092. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ebaa784d9f8dd2aa4a65baab9ac9e636cd910ba8b94b076b66e2ac719df4e092
SHA3-384 hash: 981619101f1c4f272d601754d11bf506cdd29f062cef422ddfd8ad477258cda97eaf43b037d5e8eb1c99c6b9b6b66f96
SHA1 hash: 626b231b750c890f79758bf87e36f17909d29105
MD5 hash: 9f51d4cfcf522ab47ac00a64cc4f6914
humanhash: california-rugby-idaho-fanta
File name:9f51d4cfcf522ab47ac00a64cc4f6914.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'046'320 bytes
First seen:2020-06-09 06:03:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:DaUK6VEt64XvTRbRCzSzrIZDyRxNHIhHBAJgSnjoX:TK6N4lbRCzSzrIZDyRxeRBApo
Threatray 10'902 similar samples on MalwareBazaar
TLSH 28257E3DF649D815C23D4571D495D2B06332AD4A7A12C70F39CA3F4EBE723CA222A25E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.29422.1456.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Dynamer
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 06:05:05 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5ovhqtm7rxjkustfxkvzvspgg3gzcc5ixffqo23g4kwhdhpu4cja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
netwirerc
Create hunting rule
Similar samples:
0af91caf5bfd256133203be73629b6fc15dda3a6d11b007549babf7118763cfe
AgentTesla
10a218233adab0c665d5a4e95a6c9af38bc2de5e9c81e9bf0b12587780e1b97f
AgentTesla
4bff91911fbfbb6f44a3879a87f21b04b8dfee9653ae8200e954da862afa3b94
AgentTesla
59d75c05fe35e405f049e39bd5e3d86d7aaa03eff0f47ab8153c49849840205f
AgentTesla
5a280ac4b15b1c6ed5a6c96c88d99c681574bd8a363ee386e69bffe62b995e6e
AgentTesla
61718d09d668491bf0ff58dfab3df987eb86008c6c79e4558dadda099ab68678
AgentTesla
6920173eb3c5031387b852bd2dce1bdce04ed1199b914b72a009fe257d7e6766
AgentTesla
6ca161c6cef800476badba7845b230cb377e09e4da7a6111503eb2f5c45bd3a1
AgentTesla
6eb63858afa241915034f0e38ef048db360a6a1af4cd1a2f10f26de9712805c5
AgentTesla
d3955b520c38bb369e6d3c5e3304fb29e4699cec3aa549fbb8b7f7fe137abf5f
AgentTesla
+ 10'892 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-p89qrgt62a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments