MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf
SHA3-384 hash: dd1ba6a0f31b95694f105ef07d74b0e1c1bf5b1f41f71357b794245c7e583ab8c3ae59c74b46c19ced470f360a79ea54
SHA1 hash: 953f07ea48032eab7dbfb0ba4eb27c323678694e
MD5 hash: f69261837f9da67ec44f9162d322b7ba
humanhash: blue-california-angel-triple
File name:QUOTATION_REQUEST_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'184'768 bytes
First seen:2020-07-20 07:18:33 UTC
Last seen:2020-07-20 08:10:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:ZuN51q9I6/kldSCGDyaod+ik4g8y3SoDOqvFR/CFFeY+qwBzn5D8:ZuN5OPW2rEloDOqvCFFdcv
Threatray 10'624 similar samples on MalwareBazaar
TLSH 2545DFCB6A9C5000C5AD2EBD5E628A75033D7C05F4F1935A2BC4BA8E29FA352DC74F52
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: srv.kucukofis.com
Sending IP: 94.237.90.68
From: Laurels Brent <reservation@memoiredangkor.com>
Subject: Quotation Request
Attachment: QUOTATION_REQUEST_PDF.rar (contains "QUOTATION_REQUEST_PDF.exe")

AgentTesla SMTP exfil server:
mail.bosut.mk:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28528/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.52265.19693.143.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-19 22:44:55 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dus6kcy4rtx3cgzozsmrx2emaf6sz2ucqeipqvpaghnfsvuez2xq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
022cfd64b9043ff9b9a47f985d3be85e05e9604d8f7aeb03a109c54452fd9883
AgentTesla
4e1baa07121d1eda13ff2343ba1e5300677b7a54f78034131e0df692ecae1fcc
AgentTesla
5acfaa45206fa03fc84c524016caa909e43f04e1c78232060439f354cc6e5ff2
AgentTesla
647152ceaf515e3be5779486a64ad4d25cfac12225d6284d9b4a46013099a4b8
AgentTesla
836d479354578427f7cc678351df35175bc6e4b6a75bd936b1945b961f808a88
AgentTesla
92d2689159c5984751e67f61486e25a8f66921d372249af5ac22078cf22c8be9
AgentTesla
9b6b2038805b770162eb920f87e9ca06742f72d7b2034883c9b90d41e0c06e93
AgentTesla
af8343cc25fb243e378897bcf5c22ff94287610ae86538862feb362e2382b456
AgentTesla
d0f9d0ea9402b6e61e273a5e80ef4c693a1c595414d288a73717efd549e361db
AgentTesla
f94753d7e65b0f9e6717ae394c27c07e6bc6dc3244233866d2a5f3d037bed5b3
AgentTesla
+ 10'614 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-2phmq5z2b6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c42fbca528bd28c6d94ea8c1026b62c1d65c5a5a413affb0f72f01cb2d2a5e17

AgentTesla

Executable exe 1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf

(this sample)

  
Dropped by
MD5 3587f5617bfc645f8e6f3cb0ee59c566
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28528/
  
Dropped by
SHA256 c42fbca528bd28c6d94ea8c1026b62c1d65c5a5a413affb0f72f01cb2d2a5e17

Comments