MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f7c438e16c881ff7adb99304a629393bc220c5ea4a61190ae881898c438fe50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f7c438e16c881ff7adb99304a629393bc220c5ea4a61190ae881898c438fe50
SHA3-384 hash: 118ff66e5431c1c1cd8588c9dc666e17a40940c1fec35a20f081c19f3a3f63702eccfe04438ba31b837b999ef09e5c77
SHA1 hash: 54019a65010a2168c67134dbab76462ad99e1656
MD5 hash: 651701a94f636db85c7025ed9c17aef4
humanhash: emma-cardinal-freddie-white
File name:PAYMENT 2.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:730'624 bytes
First seen:2020-05-20 13:18:51 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash bd14599cca3bfe5eac2aca6e33e2157b (7 x AgentTesla, 3 x Loki, 1 x NanoCore)
ssdeep 12288:EBEm2TGS371Df9rjlPd+2ZrC0JA+FO/nrT/00UjRWE0QzEgBoA6Xc:EynTR7FVrD+OXST/jE0QX6M
Threatray 11'298 similar samples on MalwareBazaar
TLSH A7F4B132F6E1C837D1635A7D9C1BD36C983ABE513928594A7BE43C4C6F397853826283
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail01.ad-6bits.net
Sending IP: 94.23.80.112
From: Customer Care <customer.care@infocamere.it>
Reply-To: customer.care@infocamere.it
Subject: FIRST PAYMENT
Attachment: PAYMENT 2.exe

AgentTesla SMTP exfil server:
smtp.falconsgt.monster:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 00:33:59 UTC
File Type:
PE (Exe)
Extracted files:
274
AV detection:
28 of 31 (90.32%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f56ehdqwzca766w3teyeuyutso6cedc6ustbdeforamjrrby7zia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
186926c5114f3c21eef158cc18f815591edc48864f0f6817d3677a5e6ecef7ed
AgentTesla
4171dc8b0156c5471ff44e843ff7bf8bebb750ff7b1988b4ad18982892492093
AgentTesla
429507366eda040b019369ecb0b5bfbda33fc0c23ec02ce46fef83c8bf4c0b15
AgentTesla
757207b0f638a3e70800aaa7cb4eda7e207f3641158d4a789d50b231fbe4f136
AgentTesla
832356bca6bf9614fbae4ca6058fcb9eef76689657a0dfcaeaf32f28ecf0c24e
AgentTesla
d169af713aac6178816694e1006b2e9f6411687fb13ed0402792222d380624f1
AgentTesla
e00520e9dbd220029d136401e441b14cc1f0b77272305a4ed045253b83c72eb4
AgentTesla
e10ae13fb03d5e062e25efc20b4a1de545831dd95831ad1760a6c07dcec56da3
AgentTesla
f3232a34ddf3d75e57216467b754d135204fddc84a1755d694aef2c4a3b599e5
AgentTesla
f4fa3604afcd80c55941153dbd9d16f4449871fef52050b6d8d12564182f4102
AgentTesla
+ 11'288 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-58klkx2yn2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 2f7c438e16c881ff7adb99304a629393bc220c5ea4a61190ae881898c438fe50

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments