MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f05b8b79b72f786326a8ffebd1603e7d12c9aa07b4ad6b502ee83fc03ad66ebb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f05b8b79b72f786326a8ffebd1603e7d12c9aa07b4ad6b502ee83fc03ad66ebb
SHA3-384 hash: 82ce0cf91e91c50b0348134c3c7ef21d3949cd13dd3369bcb5c01ebe7c20a0fa05a4efaf68cf0c6f70aed18ff8b4ef75
SHA1 hash: 1d4510e8ae85c8b005b00cb077761fcaab695747
MD5 hash: 18138ae056658619f9bdede1c0ae10f7
humanhash: ten-item-glucose-ack
File name:Requirements on plastic.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:671'744 bytes
First seen:2020-05-26 17:19:08 UTC
Last seen:2020-05-26 18:08:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:NoGSzYBchtzj6VEJD6LpYYh5SiBdLYzULpR4b9IGQS0nwOYAMTpT6nb146fCrAqF:NoGSR6VEt6RbLd1iItf8TpT6XCr
Threatray 10'628 similar samples on MalwareBazaar
TLSH CDE46C3E7A45B805D13C497A10E55690B3B1A6837E02C31F79CBA76CAF013FB77462A9
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway23.websitewelcome.com
Sending IP: 192.185.48.84
From: julie@cnlabglassware.com
Subject: REQUIREMENT ON PLASTIC
Attachment: Requirements on plastic.gz (contains "Requirements on plastic.exe")

AgentTesla SMTP exfil server:
mail.keestersew.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.22289.9906.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 18:03:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
20 of 31 (64.52%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
nanocorerat
Create hunting rule
Similar samples:
0af3648d246990f96ef8f93895d7c4f7bc16a7e190c6ed772596a27c9fbcb761
AgentTesla
1a7536823e4ab496ae01d1f878ed16da358aa6313ac0da85562b1039ccd4e4a2
AgentTesla
2f57b955947cf5f91456dea9adcaf9ccf3d8a1a8f0e2d011e5b8952119a06031
AgentTesla
31af9b24112716aa29d6e5dec98b5f8ffc5986e9eee2458ce7bce958f2b8742a
AgentTesla
4e25b6d4521cf58ad62d8c11c621c6f54d4ebb0ee8f50cebd904c882e6c9a66e
AgentTesla
5e75bcc407b1263e3d3d72f2262d16a48b456103c9078eeff72159c29800eaf9
AgentTesla
b8b8e62feaec33152c50ddf39310c38efb3147873a896293fb4a5b6d7e9b2aec
AgentTesla
c6f9b1e471a5ef092f97c961777b949d5f7ddb47db83ae302cca793e41daed40
AgentTesla
c77f6f00489f6a1270a3e1f783f53d9eb710f2ca615ab8f98dae03ea036794cf
AgentTesla
d3391e9c475243663aa77b0c4f57e482cf6738498a3e15c7ada35079da92edf5
AgentTesla
+ 10'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-bgavaqsy46/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 01ba888e6ba63e9adc3debbc1f423f4bff084be0e78bb024ac8ebc1320bde6cd

AgentTesla

Executable exe f05b8b79b72f786326a8ffebd1603e7d12c9aa07b4ad6b502ee83fc03ad66ebb

(this sample)

  
Dropped by
MD5 65faada0cf09a7012d35b03def378bd6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 01ba888e6ba63e9adc3debbc1f423f4bff084be0e78bb024ac8ebc1320bde6cd

Comments