MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 148c1895fe8c67ada30fc63cdff1ab698dc3618bb6e55fac669a1d4bd1ba53ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	148c1895fe8c67ada30fc63cdff1ab698dc3618bb6e55fac669a1d4bd1ba53ab
SHA3-384 hash:	56ba362533d1cd31949079976d65b0c0fa6f2bd94d94cbdc10c4db6b18909e6085f143d9e49856b02763057848a55876
SHA1 hash:	2081d506e2e785705ca51569a021fcc275b71d2d
MD5 hash:	b77f69e08d736e19b162dc3381aa69f6
humanhash:	pasta-robert-alpha-echo
File name:	QUOTATION.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	565'248 bytes
First seen:	2020-07-07 09:00:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:aqhXDvoCnZ+F1QU+BHtCOkaGcIMXGusnghHbnsMBh6SeGezqC7yT:pxU+xBasGuTRbs2h8Gezq1
Threatray	541 similar samples on MalwareBazaar
TLSH	3DC4BE7132269EE7CA3D08F0940428494FB5689B666DF3D9FCC220D642D9FC09E59BB7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: khusheim.com
Sending IP: 95.211.208.25
From: Ahmed <sales@khusheim.com>
Subject: khusheim Quotation 2020707
Attachment: QUOTATION.rar (contains "QUOTATION.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

75

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/22098/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun with Startup directory

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/148c1895fe8c67ada30fc63cdff1ab698dc3618bb6e55fac669a1d4bd1ba53ab/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-07 03:00:02 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=csgbrfp6rrt23iypyy6n74nlngg4gymlw3sv7ldgtiouxun2kovq._file

Verdict:

unknown

Similar samples:

03a99b633ca01928659955c896a703e45cbc1527738b53a5d6267fa8da44c030

1a74ccf719aa43c97835fd2bd03de4c85d4d4eaad56482b8d4d70e3f8beac769

1e1a825c158fefa17df9237a4be60bc99e1a2a42ded631c8636b6af668b1627f

50823ae6e2e1cdf7aeb3fa1e9398ef0f5f7c244d22e3a1fce261aa0836bd02bd

68cc2dbe766234de0ce7f8853b2526bc8fa7194c106f0cecd55683e297d3764f

7369dcfec21741f712f75662e29752b6a55fcacd1fbf76b9948d40b82e89b9a0

964e7b311e933799477fd793aa4e7721af35fe5c494fd9d995a6a620b162e516

bc58f26c79cc8330e384f602bd129a25103576a1520c5fbc2c27abef784ae1de

f17f88079f997a584c219a64b4105b6f98a6356f16a557bc0328758655d8fb99

f4a1a9d78555e5162dd5aebe870aea13af3a8151d031a6221e5340775457ab8a

+ 531 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200707-f5vcyjmvz6/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar debab97d1ac2fbd27c42d7ef39b5fbc60b2a593445404a2755a0658c1c80ff02

exe 148c1895fe8c67ada30fc63cdff1ab698dc3618bb6e55fac669a1d4bd1ba53ab

(this sample)

Dropped by

MD5 0ceea380141750d0dbd5c491d858675b

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 debab97d1ac2fbd27c42d7ef39b5fbc60b2a593445404a2755a0658c1c80ff02

Cape

Cape

https://www.capesandbox.com/analysis/22098/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample