MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18ee411e31ac1f4e3bcd2d811b147853bf2977645c631809acc75b7639e7292c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18ee411e31ac1f4e3bcd2d811b147853bf2977645c631809acc75b7639e7292c
SHA3-384 hash: 3c1f9583f0e664ef764edc75502d626d3c7d6b3a4c6072bff696904d3b6ca0bdc889a22fb331aaeb00b3e2a38ba5bec1
SHA1 hash: f41405988bf66bbf5c60a4c735fcf2d9949fae2a
MD5 hash: 2857e40a8d328c591b1ce60a864af646
humanhash: ink-low-papa-nitrogen
File name:RFQ_ITT 30-2020.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:374'272 bytes
First seen:2020-05-03 12:26:43 UTC
Last seen:2020-05-03 13:49:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:eowSVw1vdWlGUmMcBJt9fMZ+GkDYOw5WZCgqsAkTrYP:qw41UmlBJnrGgJw5mO0rq
Threatray 10'627 similar samples on MalwareBazaar
TLSH 49846AB86CFC4077E66AE7B2CFD48836F196A19772691D3254C7924983A7D83348387C
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.aduamerica.pe
Sending IP: 198.1.66.95
From: Jaco Jacobs <jaco@africangrain.co.za>
Reply-To: Jaco Jacobs <arkshopibericq@gmail.com>
Subject: Fw: Re: RFQ_ITT 30/2020
Attachment: RFQ_ITT 30-2020.pdf.z (contains "RFQ_ITT 30-2020.pdf.exe")

AgentTesla SMTP exfil server:
mail.apipharrnatech.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Banker1.29984.6937.4840.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-03 13:00:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ddxechrrvqpu4o6nfwarwfdyko7ss53elrrrqcnmy5nxmophfewa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
0d048612a3cb9e6113b539ce3bd2f08f56e604869cdb38edcf02400ae12c3a74
AgentTesla
2b1e4f6443927562d460588af4264fa5c5bdde4b29779588d5c0998269958f56
AgentTesla
5bdd8fb618fac11ac4607b9d16a0183a461366e00f37c09a651cf3fa62a61424
AgentTesla
9297d40e8a55c2bb0d833d2210859dbe1a3486503f47781ac46cbb96d842407d
AgentTesla
ac91a92482a83fc39b66e0e3f6c46839fd77d16316c38830a9921ca707e824af
AgentTesla
bb215970f09e072c24bbc17c0c255447861c7f9f01c357dd6670ca5c49dc2262
AgentTesla
c102aeafa1ba9f31a8433b1c3b14f8e555eaf7d2dd5af0cd63403ff0160134f1
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
facf028923bb080f70fa54f8c547679651df7d1dbb618cdeda7b16f8fb0f4005
AgentTesla
+ 10'617 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a0bcf0a699bad123a8dade06067df4838fcebf088de8a991b8671e57fcb0ee94

AgentTesla

Executable exe 18ee411e31ac1f4e3bcd2d811b147853bf2977645c631809acc75b7639e7292c

(this sample)

  
Dropped by
MD5 9719b80c133b0824d0377c973190e637
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a0bcf0a699bad123a8dade06067df4838fcebf088de8a991b8671e57fcb0ee94

Comments