MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e68055f95563948fbacfd1de0b04fd457c108ef8482d2a6642a0067835ce529. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 4 File information Comments

SHA256 hash:	1e68055f95563948fbacfd1de0b04fd457c108ef8482d2a6642a0067835ce529
SHA3-384 hash:	0df14c8c0de801c212da0ed3b0877805f74ce80212c7521730076a503c85078134f4ef82554a45103e1713d05f272fa2
SHA1 hash:	777d3b22200f3bc61dfcaa19fa81e1fe36032856
MD5 hash:	535a095b0088bcc38cfe28654265a1c1
humanhash:	north-london-alaska-edward
File name:	Payment Advice Hsbc_Pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	585'216 bytes
First seen:	2020-06-03 12:59:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:LlEXsAXJ55N7G7NZQ0uu9Hll2HT2uQ611QMujiw0D:LlVALb4u8HGzB6Mu2
Threatray	10'975 similar samples on MalwareBazaar
TLSH	35C4D0443591BE4FC27E4E72882618105BB1E6736E4EF3476CC735EB986EBCA0A11787
Reporter	abuse_ch
Tags:	AgentTesla exe HSBC

abuse_ch

Malspam distributing AgentTesla:

HELO: mila.hozzt.com
Sending IP: 176.53.94.105
From: HSBC Advising Service <advising.service.9327620.828655.2857001560@mail.hsbcnet.hsbc.com>
Subject: Payment Advice - Advice Ref:[GLV404784928] / ACH credits / Customer Ref:[00330LEN68M00100] / Second Party Ref:[540000822720]
Attachment: Payment Advice Hsbc_Pdf.ace (contains "Payment Advice Hsbc_Pdf.exe")

AgentTesla SMTP exfil server:
mail.miryatradingltd.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-03 13:45:38 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 31 (54.84%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dzuakx4vky4ur65m7uo6bmcp2rl4cchpqsbnfjtefiagpa244uuq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

397c2b4608c484eec2613bea0baa9b7e7b163b9ac27e3a197d5fdaf46792f605

AgentTesla

52cdd546546dd2aa15246f96b2d779b27656e72b7730282ed6e92c14aa978d77

AgentTesla

7c479cfb9c3df15b565e16fc62709d8af849773c5112b53bf4d41f939219d6d8

AgentTesla

b96eaf9ac03911e5764eb149c9c0235c19c97422a45ba1176c962ad151c87185

AgentTesla

c2df19f344fb1d82a9bb0a0433865874edbd8ca203e843cb6452768d2aa66240

AgentTesla

dd73ef0c278e50bc42f5afe096966fa841b9acbb6bfb553a67724b04cc85d097

AgentTesla

ef1448f905b7a9ac9186f6d076996b9638d37a8b96af5f7c791c4b0aa9a7aace

AgentTesla

f036e2aa7615446d2cb3ab689b13aac4055bf2cb8b19b0999db08d7052a80bf1

AgentTesla

f91c59a4e7c426578c67ccfeeb3f4ff7a2f131bf1bf8ca891553f398be9d4d01

AgentTesla

+ 10'965 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201109-nhehevkk5n/

Behaviour

Creates scheduled task(s)

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

94c79156c6c93cb86f76c69f6ca60d71

AgentTesla

exe 1e68055f95563948fbacfd1de0b04fd457c108ef8482d2a6642a0067835ce529

(this sample)

Dropped by

MD5 94c79156c6c93cb86f76c69f6ca60d71

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample