MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f8cf294263a5456fabf8b475376392198c9462f7035714d77f0e31ab437332a7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f8cf294263a5456fabf8b475376392198c9462f7035714d77f0e31ab437332a7
SHA3-384 hash: 2870987f67e96fff38412ebd1e003b82a77ef77ef42c3b9d4f87d695f5ef382284ab320293ee486c1b053ef64212afbe
SHA1 hash: 95183e28c2119e65b63aa0f682aed2a86c90cdd7
MD5 hash: 5de0d1e5ea161bbc55981f82fee566e0
humanhash: pizza-fourteen-bravo-foxtrot
File name:Swift Potvrda OUT20033377 (1) upaljaci.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'830'894 bytes
First seen:2020-05-08 09:11:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d95adbf13bbe79dc24dccb401c12091 (881 x AgentTesla, 737 x FormBook, 236 x SnakeKeylogger)
ssdeep 24576:Itb20pkaCqT5TBWgNQ7axL+zNAuipjUHgDOIEqHArwa4vbzweOruy3YJmIR6ATO:RVg5tQ7axLkAuipwoOIDAsvbQZ30Z5TO
Threatray 7'685 similar samples on MalwareBazaar
TLSH 7485F11273DE8370C77152B3BA657711AEBFB82506A5F5AB2F940C3CF860521A21E763
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: relay-bulk2.stackmail.com
Sending IP: 185.151.28.79
From: rgs@gecisteknolojileri.com
Subject: Swift Potvrda OUT20033377 (1) upaljaci
Attachment: Swift Potvrda OUT20033377 1 upaljaci.zip (contains "Swift Potvrda OUT20033377 (1) upaljaci.exe")

AgentTesla SMTP exfil server:
send.one.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Trojan.Ramnit-1849
Create hunting rule

Win.Trojan.Ramnit-1847
Create hunting rule

SecuriteInfo.com.PSW.Agent.BORA.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Virus.Ramnit
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 09:36:13 UTC
File Type:
PE (Exe)
Extracted files:
26
AV detection:
45 of 48 (93.75%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7dhssqtduvcw7k7ywr2toy4sdggjiyxxanlrjv37byy2wq3tgktq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0470f08d56065fb5c78585dcc719c097276d9831beaa6d92c5e4b9460b8fe22f
AgentTesla
0bbe99d89a3e5e1b3ef7a9a9c6763ef85fb21a280fed3b913102e71d2368bbb6
AgentTesla
4c85122f83c69509a94932fa916aed7c8d8096463dbee29ccdbe3abdbd492b6a
AgentTesla
5c6e6b2ac1dd3b79f6bd5de563d90e9614d75a2f33dbde962dd708242e6eb1b8
AgentTesla
782fa714fdc51cee0a898e99f98093833524a280d11dbe52aa74b4e18b37262c
AgentTesla
89f5773de397e09275d7d02812ec937343e878030232964061bb6aafdea5ccde
AgentTesla
98011c4066f47e8f3628772faeae182566a68c9829eb9206b04115b307c42f5a
AgentTesla
ac5ebb2296437f981009943674e53071e6154c70b2ba473f816a3fec9a42d172
AgentTesla
aea00ce89a5c0cc7c73381533180c5968ce79341516a262ae938a31acd7cadd2
AgentTesla
bd49dbc39747130c1e76ad9ce9579a8d4fe5ea95ef5ade5568db2b398c072327
AgentTesla
+ 7'675 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-yqptjr4c6e/
Behaviour
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
UPX packed file
AgentTesla Payload
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a22c4cf2879bbebd0b0c2093cd165695

AgentTesla

Executable exe f8cf294263a5456fabf8b475376392198c9462f7035714d77f0e31ab437332a7

(this sample)

  
Dropped by
MD5 a22c4cf2879bbebd0b0c2093cd165695
  
Delivery method
Distributed via e-mail attachment

Comments