MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 094f6a9977aca85ca844fdab18035108dda8907b5c7b90416653a573e4e127b7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 094f6a9977aca85ca844fdab18035108dda8907b5c7b90416653a573e4e127b7
SHA3-384 hash: a3bfa34b1e57b0d91d919c56c50369526fff7931adfab0bc391de210706f34a76c856c52b9b151c1a254985293f5a2d7
SHA1 hash: d557a14aca121b534854bba8b7357bfd91d042c4
MD5 hash: 22c37e22bf539c843de4ccc764924f33
humanhash: nevada-wisconsin-item-lamp
File name:Purchase Order~pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:705'536 bytes
First seen:2020-05-21 09:52:08 UTC
Last seen:2020-05-21 11:15:07 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:K7dlwiR9s5xriaseEhrBpmCEIeuvehb1d0O4vuzUHSgngI:Kxlwo4FAbrBxeuvehbXb4vkU
Threatray 10'865 similar samples on MalwareBazaar
TLSH F9E49E302FDDCD36D05A8FF5E1422254F57ADD4E8E97CA48C9BD629BC432FC0A815A26
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: m97110.mail.qiye.163.com
Sending IP: 220.181.97.110
From: Jessica <jessica@beihua88.com>
Subject: Fw: Re: RFQ New Order
Attachment: Purchase Order.rar (contains "Purchase Order~pdf.exe")

AgentTesla SMTP exfil server:
mapi.diplemailsrvr.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LuheFihaA.19055.24416.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 05:15:23 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfhwvglxvsufzkce7wvrqa2rbdo2red3lr5zaqlgkosxhzhbe63q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2ae247545c4291da9b83ad9ba0c6af00bd80c896a3fb9fafd028e09444bf3baf
AgentTesla
348ab69ec7c99d1803d0b8b29f5959fff8dd6daed1d992f7da2d796495ac0a67
AgentTesla
3cad8abfd66f6df4932c89a68f71e666568d74cb9260b05984294d1675e2d838
AgentTesla
4e25b6d4521cf58ad62d8c11c621c6f54d4ebb0ee8f50cebd904c882e6c9a66e
AgentTesla
6c731b9e623222de40d78c857573d713bafce156a4b42dd445a840fddfe585be
AgentTesla
956338e6d5c9af567addc3d16a0026d124aaa3d0657471e0e0bdd8d87c3ee762
AgentTesla
b826981f8021d62f3c3d2126a6a5f5b1f6c1591ee875a509985d595568c096a4
AgentTesla
bce1f7597dcac5d3744d485142c06a71b60eb246a4f5e97bc41848150a822215
AgentTesla
e0e75410c585dcaeab1ac774bf62f0ccc55ec32e009fdf75a8f089438e5b65e7
AgentTesla
e469882fa707c3f2f85c8bdd5fe250434f3fa5169ee71f8132dce99296b99629
AgentTesla
+ 10'855 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-qc7be6dhps/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Disables RegEdit via registry modification
Disables Task Manager via registry modification
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 53398258a220177c38d7c2772465b04abf1d5f76f5498bac47fcb4bb8a8497ce

AgentTesla

Executable exe 094f6a9977aca85ca844fdab18035108dda8907b5c7b90416653a573e4e127b7

(this sample)

  
Dropped by
MD5 84fc9b2e219a1e95f95f1406c76decd3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 53398258a220177c38d7c2772465b04abf1d5f76f5498bac47fcb4bb8a8497ce

Comments