MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04cfd305f0d352144e6063af7ca62241127142e7f67e079b78ce10f95e33d29e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04cfd305f0d352144e6063af7ca62241127142e7f67e079b78ce10f95e33d29e
SHA3-384 hash: 133bea61444b41d28c72cc371e12a8792a21c59479c8b5e19c7244b770a3fce717c1206006e5e0652a4e6e607a077184
SHA1 hash: 0a2ecd07982505abb47f4e8d5d8795761b7b4231
MD5 hash: ab391f4957116905a7c2c51016d0c2f9
humanhash: leopard-hawaii-spring-low
File name:PREVIOUS PO AND PI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:703'488 bytes
First seen:2020-08-18 13:22:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0Wf9r24EcmZHAFaxmVmie9bngPEuTuOoraTSi+F2B3viqTLX0vL9rJ8De8W/7YED:C4EcmZHAFaxmVmie9bngPEuZWwPTmru2
Threatray 9'198 similar samples on MalwareBazaar
TLSH 00E4476D3D50EA8FF5F449B1B8205E22077227568623A533D49391BEE7EB4FA3932053
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dphe.gov.bd
Sending IP: 45.137.22.54
From: Steinar Lea <ee.sirajganj@dphe.gov.bd>
Subject: 이전 PO 및 PI
Attachment: file.pdf (contains "PREVIOUS PO AND PI.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47915/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04cfd305f0d352144e6063af7ca62241127142e7f67e079b78ce10f95e33d29e/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 13:24:08 UTC
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ath5gbpq2njbittamoxxzjrciejhcqxh6z7apg3yzyipsxrt2kpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14adf4dd13033d8ed032a7ebd489a056752df681ec958d92b92d8776d0387f7e
AgentTesla
45286f8728324778e28e8e20ee34e789d7123e04158ac789dcbed9a94f42da6b
AgentTesla
50cbc0b693b4204caf169db073592dc53b8b1c21b9e71a640ee79692918cdcef
AgentTesla
a35e2cdf735f7548734e3a0647849754ce8b180809438efa67ae280454831443
AgentTesla
a66ca1e1d94dfbe3e0fe92afd519f9a00b102438f6be1786a988fca58fa19bc6
AgentTesla
a777ac93ff0c17ae3f7d317ac3a4f01584bf17dd2d00353adc398e5b1723556b
AgentTesla
bbb1cd2d138cd5331c4a1ef19a81688c45704fe3e96dbda7b7ffd8317b70fd84
AgentTesla
ceabc6af60d4bf77f5610a2194219bafeb96bd7fc94ab35d6ae51e7459298d7d
AgentTesla
dfe001ed1950d612ea59a75c6367629ff0e031853e9f7a12b7f0381a4f20660f
AgentTesla
e3e667f5f3f179990bcb4616c8e5d56eeb8399bd867799c4bc68fac82c9b0a0f
AgentTesla
+ 9'188 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-dknxac74wj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04cfd305f0d352144e6063af7ca62241127142e7f67e079b78ce10f95e33d29e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar cfdf6adba3fbdd3d6ebe0a7a74c6bd9e74197c0380924c80baccff9119fd30ff

AgentTesla

Executable exe 04cfd305f0d352144e6063af7ca62241127142e7f67e079b78ce10f95e33d29e

(this sample)

  
Dropped by
MD5 289f2d611e120deadc289df67ef6fe2b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47915/
  
Dropped by
SHA256 cfdf6adba3fbdd3d6ebe0a7a74c6bd9e74197c0380924c80baccff9119fd30ff

Comments