MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fcdf988e2477495e8fa6b8b307118106ee71d8a6ba4e22159da160f0c3f44de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fcdf988e2477495e8fa6b8b307118106ee71d8a6ba4e22159da160f0c3f44de
SHA3-384 hash: 6949c30fe24b8b0e48b6b9cecac6bda2855639551ac09304280ba46042bf95e44f870c6eba78fd62a465f0f6fd7866ba
SHA1 hash: d10aa88c572398145f2ac3f53b1d9fa652f4f864
MD5 hash: a1311684ba4c89ff7c84a7ee02ef9dbd
humanhash: winter-robin-batman-diet
File name:Catalogue RMK trading LTD_6682_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:604'672 bytes
First seen:2020-07-16 06:26:05 UTC
Last seen:2020-07-16 07:03:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:k1o2k4zU04yTPhlaeVbDTzLsXPDq1GE09mTHM2CnnJzWxikmzofLO2Eh:2P9ThAeZDTmPDqGj6H6J
Threatray 11'110 similar samples on MalwareBazaar
TLSH AAD49DD83510759EC44ECD768964DC70AA202C66F7FBD207A3C36E9F793C697CA052A2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: llsc494-a17.servidoresdns.net
Sending IP: 82.223.190.47
From: RMK Trading Ltd <revesnor@revesnor.com>
Reply-To: c.eomirou@rmk.es
Subject: INQUIRY
Attachment: Catalogue RMK trading LTD_6682_PDF.iso (contains "Catalogue RMK trading LTD_6682_PDF.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26340/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.19310.9601.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0fcdf988e2477495e8fa6b8b307118106ee71d8a6ba4e22159da160f0c3f44de/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 06:28:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b7g7tchci52jl2h2nofta4iycbxoohmknosoeikz3ila6db7itpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
24a00145d774f6aac5b11be0188c88f4b9485e626f464e94bb355db0e2ad0f93
AgentTesla
34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62
AgentTesla
3b91f298cfdb9541f0d548a38576e37012c645926ab3383d21677087c107b52f
AgentTesla
3c424e2399b9c7c6137ebd07c82955103e205ec70fa52518ea73fa82ef5cf946
AgentTesla
57234a3ec3bf2d3e6539a25221595d791fcf68dbed39a942651819c74fc3c664
AgentTesla
5e5d0ada2b375dd1cf9a412c4753bd0cb30900318c39ca98d72dce4bd1efbc3d
AgentTesla
a221aea48e4c8450ffde297704231b8023ee99a1e98892c3958dc3072bb33f16
AgentTesla
ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821
AgentTesla
c4aeb26dbf763871a003bea68d96b7d6937437cfda61f18c36d1a72aa59667ac
AgentTesla
d67f2ed340a9ec458150d078fdeaf4707c8b11fa05ee60fbb4958a0b5f2e9854
AgentTesla
+ 11'100 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-axdf6pe8c6/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 09cd4a62de298bd73aec80b31ae63761f7aa16d9b60cc1a627527f706b5f43c8

AgentTesla

Executable exe 0fcdf988e2477495e8fa6b8b307118106ee71d8a6ba4e22159da160f0c3f44de

(this sample)

  
Dropped by
MD5 c2ad412f248d553444ed70c799bdae58
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26340/
  
Dropped by
SHA256 09cd4a62de298bd73aec80b31ae63761f7aa16d9b60cc1a627527f706b5f43c8

Comments