MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 07cad509cf5a4ee6406a4229fe21bfaf23101816b2328402f86bc3b9e8c47d44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 07cad509cf5a4ee6406a4229fe21bfaf23101816b2328402f86bc3b9e8c47d44
SHA3-384 hash: 886a6f36d641bd2ab99268669438eb952c969ae72a6c2291502b580e22a0b1c979777235ade3e7b64743c1a7dfcc898a
SHA1 hash: 2123d353e0a308e8390077a573e14d1393c9920d
MD5 hash: 8ab431fd84fe2734f8f85e8b52e89466
humanhash: connecticut-missouri-eight-yankee
File name:Order098789.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:349'184 bytes
First seen:2020-06-22 16:59:10 UTC
Last seen:2020-06-22 17:38:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:cwFqOoj9psRLlDn4zLZTlOZQy9p+wHb9RvgUWnOeXtJ2V:pFqOY9Unc9y9ZFgUWOeX
Threatray 10'675 similar samples on MalwareBazaar
TLSH 5A74E0C84B744AEAC12B9F7D1DA1A314ABA433630952C30B352C3A397CD59FCDB69716
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: wildernesstrader.com
Sending IP: 103.207.38.154
From: "Maral." <trader@wildernesstrader.com>
Subject: Re: Re: Re: Re: Re: new order
Attachment: Order098789.rar (contains "Order098789.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12688/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WEZ.23531.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/07cad509cf5a4ee6406a4229fe21bfaf23101816b2328402f86bc3b9e8c47d44/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 17:01:03 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=a7fnkcopljhomqdkiiu74in7v4rragawwiziiaxynpb3t2gepvca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
05c1f772142b914a5761ae612fdd21cb2a5a7c8560f05b4410858024f6f2acc2
AgentTesla
05f08d66b6f118c60851b9b3a9f86eb9db05955af1bb2b6bbdd9b5308972b3b3
AgentTesla
09944e1f48bf7f92a9302b2fb104e20ede5d5a897dd2107f795175e0cfa405e0
AgentTesla
127dfcf1e210fc37a26f34b49e552de670aa17e912c38b51f0a374df6d6b9389
AgentTesla
715de4488b8f1a697672312f7a67c075c982d3a14cf2614dfb549b995dc34cbb
AgentTesla
8af6ccdf9c60f235ed2d82cb83bde963542797f038d130fc5662d9b0254e1939
AgentTesla
a2923551197772b1a9801410915c1d538f67cfaf50440f9096b17cc7a785cc72
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
bc36d20a9c2283a9f9e01a995af6fde7824a0d18469983d0a6fb3899c6516b47
AgentTesla
f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42
AgentTesla
+ 10'665 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-y2l49nq6px/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Drops startup file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

9b60f59fc5a22ec88e8fc45ba8dc2629

AgentTesla

Executable exe 07cad509cf5a4ee6406a4229fe21bfaf23101816b2328402f86bc3b9e8c47d44

(this sample)

  
Dropped by
MD5 9b60f59fc5a22ec88e8fc45ba8dc2629
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12688/

Comments