MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277
SHA3-384 hash: 248a6b9ae72482a114646c0578514de4816841bd0c44c3452825d913e607fc855892d4fd12e8d35af058a205c8038e67
SHA1 hash: 68803124332bf57b6f6a7cc9fad33d6feee8a48a
MD5 hash: e9567d62f6cbad2e5c23cc82f5f62377
humanhash: five-stairway-sodium-romeo
File name:citat.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:434'688 bytes
First seen:2020-07-06 14:44:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:FKyY7SYG7i+n3HAApBz+HVlBdiAyVWIotEHvlS9sNylNMRROEsOJ+mtu:FKdufPn3VkiAycntEd6sg8jGS
Threatray 10'615 similar samples on MalwareBazaar
TLSH 1894E1B70287BEDAE37D0EB4C28416400DB81C5BDB71C95ABEC831C962B5B14DDB8976
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pl9.fakat.net
Sending IP: 159.69.67.214
From: Diana Olariu <diana.olariu@spedorient.com>
Subject: Orient
Attachment: citat.zip (contains "citat.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21658/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Enabling autorun with Startup directory
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 04:34:42 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7utcfeezxwlz3dhn7g3jj2uuc6qlqlo2t4l3egfb3vcfafoeoj3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f554bb19749e97d63525c4d964041e8d6fc149cb0aec5c4560cccf09babc39c
AgentTesla
1dc42296af9ef7fa6fb9f894947b9547b964ff2926894bb2b52a09283b7a4b60
AgentTesla
3b6fde65cc308f5f546273a418fa9a710a41250d8bdc9419504dddeeaee04e1d
AgentTesla
66b15ee82b31364bbb038c7a2f60fac0057d01b0865b2b71a4418293fc9e056d
AgentTesla
71146568c5f7e1bc849a6f73bf08ba68c14e73fcaf049da083879f15a2cecc44
AgentTesla
86b9cc599fa4d284440a59cfce0e71521562d221f87d2408925482f42d96861d
AgentTesla
8e6958bbae022603caa738afd463ce24c8b5d39776932dbc847eae282d248f7e
AgentTesla
bf9a8a5a9daaf6b026a193e759bf42d4f0b79431db5125263c356a5c1168b523
AgentTesla
c01753dd68c42bc2c0378b93891b424d671cfc6a58a8726e40fa9675122ea028
AgentTesla
f782488d6cffc08636ce326d9ab116f99c7abb7a6ced4391f9341e709144d100
AgentTesla
+ 10'605 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200706-1q1sbv5wp6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Maps connected drives based on registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Checks BIOS information in registry
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e0086eee7d1ee35ecf7421113b9b13922ff6d040f2eca5130ac6e7f4c2b27b3d

AgentTesla

Executable exe fd26229099bd979d8cedf9b694ea9417a0b82dda9f17b218a1dd445015c47277

(this sample)

  
Dropped by
MD5 063166ae6b08a9c991210f59103aab3b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e0086eee7d1ee35ecf7421113b9b13922ff6d040f2eca5130ac6e7f4c2b27b3d
Cape
Cape
https://www.capesandbox.com/analysis/21658/

Comments