MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5
SHA3-384 hash: f8c4e1c3fcbbb814aaf4a443aba163ee3789795ff7e98a6007bcd2b8003cd5ba28ea709f86ac332bd296af96e86f8193
SHA1 hash: ae5ad76d977bedfaa76632fa32d5678c212daa96
MD5 hash: 94c64da42cec451a2bd9c6e30d366fa8
humanhash: thirteen-sixteen-alpha-purple
File name:NPK 202020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:835'584 bytes
First seen:2020-05-10 14:19:11 UTC
Last seen:2020-05-10 14:51:09 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:V5WXH96MgGYx2C3nTSjMfD0SOUHsEGLU0MGU:nWXHhXYxV3TfeUSPMG
Threatray 36 similar samples on MalwareBazaar
TLSH 34055C906A3CC4D5C0A47EB23529D871CBB8AE36797B4A004231BDC4F9F5F54FA0AA75
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: WIN-BF47LL40VE1
Sending IP: 185.222.57.186
From: Ghazimorad Group <sinam5279@gmail.com>
Subject: Request NPK 202020 freight charge to Bandar Abbas Port
Attachment: NPK 202020.7z (contains "NPK 202020.exe")

AgentTesla SMTP exfil server:
smtp.pbrend.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.45400.21790.22731.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-10 14:35:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ic3e6anz3jnf7wx25ltse3vzchwctrxm3xjevlrsizpqyo4x7lcq._file
Verdict:
unknown
Similar samples:
077ea1beb3d55288fae709ca1656bf8ddb08fca31dd675ac81de3980b7b3eaed
AgentTesla
13bcf525a0617b8107fa61cd8fc1b47bf37c7a91291c3a68724cf3edac4aeab7
AgentTesla
23fbda6615005156d204371982d99be45fea990cf58dd637d8e5ec6550347346
AgentTesla
6348a886a9796d2fa05cd1792d8299c1a3a66e016b04a115e34c47d49415714d
AgentTesla
741f3a690a9f6efc608f0c310e7e8d3ddfd2aabc4272e1e714d68647faa3c3e8
AgentTesla
beb3412bfd48ed0ac960ee1f6f71d68d7062959b0f22c4fb045842ea601e597d
AgentTesla
cb923f272e0296a32c82331b4e12de37280c80d7cf320084f2a4e621f4387de8
AgentTesla
e2441bea072dce22af4853106891cb87d314461749fde2b31a0f6b3521e5daa3
AgentTesla
eb003f42d94ba71a9aaa8c2c3039e930a3024f5e476a9bf02f46cb0928515146
AgentTesla
f7bb01e6cdd242b59f4095d3a7d6398105b3030f87ae40f33932265ff520a954
AgentTesla
+ 26 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-hgazx5z8je/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 1ee09b56eb363f46b95737856b82a8fd297c1e488042dd6c1f813cdb616a894e

AgentTesla

Executable exe 40b64f01b9da5a5fdafaeae7226eb911ec29c6ecddd24aae32465f0c3b97fac5

(this sample)

  
Dropped by
MD5 e59019a07c32f9bbcf869bfbd178188b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1ee09b56eb363f46b95737856b82a8fd297c1e488042dd6c1f813cdb616a894e

Comments