MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14c7c733c91c716447e5691a44f236a479e51f0837bb78eab4a910a95af08ccc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14c7c733c91c716447e5691a44f236a479e51f0837bb78eab4a910a95af08ccc
SHA3-384 hash: 57b010755c549b47d819bbcec952ef03fa8148a1e63b89fe2d02a2ceffbf24c80e21b532965c202fbc6294853967ed09
SHA1 hash: 23dfcbc8945bb6d920bd2299c8ab0e613d18e67a
MD5 hash: d2e6d4127e903c75ae1cc6390d50e995
humanhash: uniform-william-muppet-foxtrot
File name:Scan__Document.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:547'840 bytes
First seen:2020-06-08 16:41:45 UTC
Last seen:2020-06-08 18:18:52 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:EaXA4NPb3lCiZMCkDZKnJN/BWZ+/3AxuhBgZiTp:EXYPzllkDIJpEZ+h
Threatray 10'679 similar samples on MalwareBazaar
TLSH A6C4CFDD362472EFC85BC472CEA81C68EA5074BB931B5213902756EDAE4C897CF254F2
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: biancheto.pw
Sending IP: 173.82.154.86
From: DHL SERVICES < hr@biancheto.pw>
Subject: DHL: OUTSTANDING STATEMENT OF ACCOUNT
Attachment: Scan__Document.pdf.r00 (contains "Scan__Document.exe")

AgentTesla SMTP exfil server:
mail.kalatecnic.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VEF.22786.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-08 16:43:03 UTC
AV detection:
30 of 31 (96.77%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ctd4om6jdrywir7fnenej4rwur46khyig65xr2vuveikswxqrtga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d92da4fa2fd3b7ebb74b5bcfe7d824031cbfce983d96684a3552b482f07cbb8
AgentTesla
0fbf94a719f66bcd7d5d5a8fe06d509bd4bf09ccc7610d6b08a6eb97136bc84a
AgentTesla
2c6aa8d5fd233661b6d8c0130af1a0c63539aae4c05fb03d74859ebeec3b7cc6
AgentTesla
88502fda993fde73909371ca6813191b0af2d571632c1ebd5c92bd3a844af1c9
AgentTesla
8a463f15c830e566292963bf3473b16288e71350e97d84359499fd33b7329a66
AgentTesla
bdbfc7d1632cd7d8279b0fee3770abe6f54198d62c3781cfcf098f892c598b21
AgentTesla
bf9aed997a66dbfb9a3b24f4d2b393204a7fa43bd7eecaf3670850f8a4c553f0
AgentTesla
c6c72d491db39c737a992359089e6c424f702d7e5064ee4333606df0baab401f
AgentTesla
ca1bd575c42ce30ba0cb7bda8abfc2976c3781327c4881830b51dbc88e6eb7de
AgentTesla
e0e75410c585dcaeab1ac774bf62f0ccc55ec32e009fdf75a8f089438e5b65e7
AgentTesla
+ 10'669 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-zlww7lwmen/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

95734734dec85ad00f8796fb199ebf65

AgentTesla

Executable exe 14c7c733c91c716447e5691a44f236a479e51f0837bb78eab4a910a95af08ccc

(this sample)

  
Dropped by
MD5 95734734dec85ad00f8796fb199ebf65
  
Delivery method
Distributed via e-mail attachment

Comments