MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49699637f42a119d77bbf9a3e672ecdae9c7c6b1443a54abae0ff10494d66eb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49699637f42a119d77bbf9a3e672ecdae9c7c6b1443a54abae0ff10494d66eb3
SHA3-384 hash: 393568f9eaeae5a69553da0ad3615da762375500d44a0d9580091fe317925ce4571d51304513f5b93d466ec88e8f8498
SHA1 hash: 0178cadce3a9c5efd3d074633c721c074b1a5d68
MD5 hash: 671076c208613fd6f01cf6ccf7df4938
humanhash: stairway-don-table-snake
File name:tracking number.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'248 bytes
First seen:2020-07-07 12:43:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:vIXFSwN4Q3OLK2lpbd84QiCzjJLEoP+7Zld/lWbJxaipL1OU+BHtCObokXhRwWaq:68U+xBbokXhRwW1ATSsZg
Threatray 10'721 similar samples on MalwareBazaar
TLSH 14C4BE7122B5AF86CA3A4FF6A55424005FB52A6F32BCD3696CC130CB55AAF044B91F73
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.taie.ca
Sending IP: 198.1.127.248
From: DHL Express <support@dhl.com>
Subject: DHL Import Clearance – Consignment : #600595460
Attachment: tracking number.r00 (contains "tracking number.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22263/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49699637f42a119d77bbf9a3e672ecdae9c7c6b1443a54abae0ff10494d66eb3/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 12:45:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfuzmn7ufiiz25537gr6m4xm3lu4prvriq5fjk5ob7yqjfgwn2zq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
635753c983a487432d0bc4acd4163fa6125f2bd3f61f578b543f3fcbc83961b8
AgentTesla
65a334681f28acfaf75675f309f6f05daa3e6e3b860771730a38ee701cfdef20
AgentTesla
73a4e945a1c898ac6a48f8359785c4bd85a1e9af7423db4bd18149c428503cb2
AgentTesla
7de0526b8356dc1047388b5958ffb3e6ebdd38e48565c2544fc568dae0fa33ef
AgentTesla
853b8b5ab3cbde2381a1e4a6721ea06faf392dcab12c955fd908b7da578d6e37
AgentTesla
9c5da09379aac3c9b0c5fe8dbca524809a1109f2e57b218b5f48b9f2e32a4bf0
AgentTesla
cb939d718786f89ced507e2578f992dc26698ed13f744b5b7307f374cd24243d
AgentTesla
d96fb3fa5c309d3ec542c767d220336399ba763a0509b75fd08fc5fbffc7b2ff
AgentTesla
e8354b6fbf1b300bf85684f18f48209e2c767c8654d2ab6bcd50375b23deb03c
AgentTesla
fa1996ef1afee946b4386f49613daa9aae54eb4f04064d78d411843ae7a7fe43
AgentTesla
+ 10'711 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200707-xn4x4d96sn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 b3e1bdff41e1a177c9b070c52d5ce06b3bcd2ca1034c54bd58e9db79bad9605e

AgentTesla

Executable exe 49699637f42a119d77bbf9a3e672ecdae9c7c6b1443a54abae0ff10494d66eb3

(this sample)

  
Dropped by
MD5 1b0e1f24952f51ebfcd4c0df6c604f26
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22263/
  
Dropped by
SHA256 b3e1bdff41e1a177c9b070c52d5ce06b3bcd2ca1034c54bd58e9db79bad9605e

Comments