MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829
SHA3-384 hash: 9a7142cf442d41ab69c71a61c677448ccf8f9a9d15977d5e965e259d28fc0bb0aea5d17dc612e28d55d427edaffda446
SHA1 hash: 706fdecf6cbb860b890742db3e9dbe239662703e
MD5 hash: 4268fdc3799323a843475051fd6ad542
humanhash: delta-colorado-charlie-blossom
File name:Factura Proforma No. PI 20-21-0014 y PI 20-21-0015 (1).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:790'016 bytes
First seen:2020-07-20 12:52:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 947a363cee796918c4dd5f0352950426 (5 x AgentTesla, 5 x Loki, 5 x MassLogger)
ssdeep 12288:SpxEDrQY5EvoFzhlmTS1i4jkkg52CKRC8fZ9GPJOe+TZmQ0Cnek3egKE0+qSEH:Ca8voVOIObYfZoke+TMQTneZuCH
Threatray 11'696 similar samples on MalwareBazaar
TLSH B8F4B022F1E04877C177167C4D1BA678A836BE103E2C99766BF75C4CDF3A64034A52AB
Reporter abuse_ch
Tags:AgentTesla exe geo VNM


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gmail.com
Sending IP: 185.222.57.207
From: Tưởng Hoa Phạm Thị <tuonghoa7794.ph@gmail.com>,
Subject: Yêu cầu hậu cần (Lệnh sửa đổi)
Attachment: PI_124020502207.iso (contains "Factura Proforma No. PI 20-21-0014 y PI 20-21-0015 (1).exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29124/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.10949.1876.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 12:54:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dzrke2hckelsbzwl6d3xpahdcr6kfuda25irrvpatbhdawkzhauq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
27f576bd27f707cd9c62164def16b57878fd6d1d1ae6bbf1f905d4668c298517
AgentTesla
2f048ca43dccc9a40348e7be9ba59e487a683115b6d32c346dbbca531b597c82
AgentTesla
34a88c5a15f36eb7b24dfb21e53185ffa67a04760533e9d474dd4de4e5331153
AgentTesla
425d0b685a7fb99078c3c3f81929c0a7a8836cb0f901d4950afca8ea1cc9839f
AgentTesla
4b2ea6a05f162abced933abc57f1b74e9167bb070bd10a56a73745d908a6c57c
AgentTesla
aaefa26175b22b29d742082a016606aaf045c3c587f12ce4e975fed56abfada2
AgentTesla
c4284c413395930a3ca9561d55045bb40c5d14d8c70e44f4f7a9b944ef34935c
AgentTesla
c6623c1d81defbb2f39224fad80aa071b99b3d08788f6cd400e9c43f9c324b0b
AgentTesla
e47d2283c026db3c1d24b547699e99b6306c795616e2d13eb107de9a6eb938ad
AgentTesla
ec44baa08d0e4edf9673749f16f87a1fe21d981bf08715e20a579a478316f4e1
AgentTesla
+ 11'686 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200720-jq6h4vr3rn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso e233e230cf0e70ac03815322939ef0a6aad7fad481c37e5b7664810e1081634a

AgentTesla

Executable exe 1e62a268e2511720e6cbf0f77780e3147ca2d060d75118d5e0984e3059593829

(this sample)

  
Dropped by
MD5 2937d142318d5f101b3db90502bb76cc
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29124/
  
Dropped by
SHA256 e233e230cf0e70ac03815322939ef0a6aad7fad481c37e5b7664810e1081634a

Comments