MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50
SHA3-384 hash: fca6141892706f816dc2c1fd21bc7491192f927af574fb0439c2678ce7e9d3ae2e3495426d7108e622feeca002216626
SHA1 hash: 7712236e9d81cc5654023d7a21b0a518ea2b53d9
MD5 hash: 903746d6c18aef7b3acbf91fb0b1ba11
humanhash: spring-high-eighteen-quiet
File name:Original invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:818'176 bytes
First seen:2020-07-12 08:11:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:pSO7H0ImyzsXEk+Dx5+UJRcZ+LWiWacTaulCSRO6ap7D7GLT/ta2MUe1B:R/9wEFx5FRcZSWLTESRyp7DSLrta2M57
Threatray 11'279 similar samples on MalwareBazaar
TLSH 190502F5F54A1C63CE390AF21B2298404FF26C1B55B5E2EF8CC971C65AF6BD111229A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.amberresidenceng.com:587

AgentTesla SMTP exfil email address:
reservations@amberresidenceng.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24823/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PackedNET.378.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 06:14:54 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dxv4hgkttvw536tveln7ikzk3z6q4vqxswepv2priqybvbdctzia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1aeebb408f994fab29b26a81576cbd195faf9d4a1e0ef4c299e38b970e43de2c
AgentTesla
3305e88d2594770eced662a94933358d2d1d57534aebb9c6b7876e50de58a8a1
AgentTesla
3ae8eb9d4bc0b3f87a57648f25938b346986101428a5ed2a3f6c6d68bd5f5b4d
AgentTesla
4ff6913b35226527d4bb0bd458d326ad3d1bdd50b90aaac6d4eae1f7f43922c1
AgentTesla
51e016d7614461f51389151f4dce30de7db0945f781b4d7d6ec6ab1ef97935fa
AgentTesla
5477643235b833aa541ecdc02ee302b141a306c8ab01b08341341f4a2fb20341
AgentTesla
a4d4f50a2dff36ea8d3f92a832578a875c3f6a3ce227f1263114bf9dcbe9e335
AgentTesla
b3f42f7a9747edcd9d13cab3d0a41b3e0d3cde5a5548f5328b5fcf2f3e068d85
AgentTesla
c4031838bc163076ff2845546cad4c409d9cec8a2100d78d4ea1ea75579f7c37
AgentTesla
d76bb689a401094eee47a075368224161d261665c2b285b155d1b7833ba4fbaa
AgentTesla
+ 11'269 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200712-wldh3d8z76/
Behaviour
Modifies registry key
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 1debc399539d6dddfa7522dbf42b2ade7d0e56179588fae9f144301a84629e50

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/24823/

Comments