MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d2a780d54c81fa2a4990bce7f008d8a1445ee1a47ea40db306dad6994285845. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d2a780d54c81fa2a4990bce7f008d8a1445ee1a47ea40db306dad6994285845
SHA3-384 hash: daf4873d1ef31afa4441d923c99f9d5664fdddd2a83db6e331155dffdc5c44895caf3f04589b6933ae0355336e1afef5
SHA1 hash: bcdc699400d88c0341e28c45a9a0b0a215a25195
MD5 hash: 7589e60d6abff5a942496d4dfc936e32
humanhash: india-magnesium-moon-east
File name:DİLMER MAKINA LTD STI ORDER_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:523'776 bytes
First seen:2020-06-10 10:01:20 UTC
Last seen:2020-06-10 11:10:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:fj/qo1rWF1fWoYYwI5871OAA/0nbwoNbh09sDXH6QHegSWGN8c:mKybWvYwIQ1OAAytd
Threatray 11'776 similar samples on MalwareBazaar
TLSH 7DB4BE8D3250B69FC42BCCB28DA82C249B61B5779717D243A45722ED9A4D7DBCF006E3
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: globe3email.hostcentral.net
Sending IP: 103.53.172.34
From: DİLMER Mermer ve Mermer Makinaları San.Tic.Ltd.Şti. <export@dilmermakina.com.tr>
Subject: ORDER OF PRODUCTS FROM DİLMER Mermer ve Mermer Makinaları San.Tic.Ltd.Şti.
Attachment: DİLMER MAKINA LTD STI ORDER_PDF.gz (contains "DİLMER MAKINA LTD STI ORDER_PDF.exe")

AgentTesla SMTP exfil server:
mail.greebals.gr:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WGM.19931.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 08:26:26 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=duvhqdkuzap2fjezbphh6aenrikel3q2i7vebwzqnwwwtfbilbcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10fad4b65a448aaf07a2485e21c8679f9abf3384956f313177e5af3d971ec5db
AgentTesla
165e8d77d67463418cf9812a06921ceaa52cb4b7680f35766178c1b5914b4634
AgentTesla
22a3fe05132793fecce3337c6e692f2c7f978a01b9ab334dc4da337262cb52d2
AgentTesla
2cd664671f3e8736a9840f60a49c1ec060e4cc4d5af71bd5c32155159ea6ce10
AgentTesla
43e70aaad54048f5e4626ebde2c50bade7984d2af0df4086ab7809337df8ca16
AgentTesla
7bb9f73ae2fe5d1dec17425636ceb65832c41773aee7a741f431597a20926e02
AgentTesla
b1f45414f7fda2bbda7adc60f09f384eaf29a8468531446c2e508d36a73fe7a7
AgentTesla
b744e2179181f87523cfc99ed87eea6a6dd59b7ea69ed18ec541b6d982f5589b
AgentTesla
c94d93a84628439ddf5026162868a48299de89e949199cdf2d60b114c13bd05f
AgentTesla
cdbac6d4c4c6c722cf135d95f1c0e3d818dc660039ff4ad802c8ce4cc0f7145b
AgentTesla
+ 11'766 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-dbt5bjerj6/
Behaviour
Creates scheduled task(s)
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 978689b4f8b7d180ebd5c0a3c1c7c3cf9184caff0a2c7267dc2423f704e259ca

AgentTesla

Executable exe 1d2a780d54c81fa2a4990bce7f008d8a1445ee1a47ea40db306dad6994285845

(this sample)

  
Dropped by
MD5 b72a70bf2f667b308995ac1e8d8d7c6e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 978689b4f8b7d180ebd5c0a3c1c7c3cf9184caff0a2c7267dc2423f704e259ca

Comments