MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bb718a80e06827e78d486894bdf8d3d0bec8b8e6345f6686272772fd05112aa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	4bb718a80e06827e78d486894bdf8d3d0bec8b8e6345f6686272772fd05112aa
SHA3-384 hash:	4538fca11e3fad079b5f5b61d94df5dcb4e6c239f2fb3cd960ce3d025d19a1c1c14d63bf1338d886e717483b360ea297
SHA1 hash:	2dd05ca8af1fd087c2df7a1b4c6ba029ec572599
MD5 hash:	8c0729e108a41a5bb3ac5169e25d0f5e
humanhash:	red-may-harry-kilo
File name:	Payment Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	444'928 bytes
First seen:	2020-06-16 19:52:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:+LSR/hi3PZfCfPbAJzh/ixylh2bBU1bJudXK9G9XbltOsHhvsG9t6:+e9hHfzAZh/GBbmtuZ6altOsBU
Threatray	102 similar samples on MalwareBazaar
TLSH	1194020CB25C0635C9BC5B7CD4F136540BF8B9663A22E74A9E8531EA1DB3BC68652F07
Reporter	abuse_ch
Tags:	AgentTesla exe HSBC

abuse_ch

Malspam distributing AgentTesla:

HELO: sc.com
Sending IP: 95.211.208.50
From: HSBC Global Payments and Cash Management <fbaraza@sc.com>
Subject: FW: Global Payments and Cash Management HSBC
Attachment: Payment Copy.rar (contains "Payment Copy.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

83

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/11077/

Detection(s):

SecuriteInfo.com.Generic.mg.3259304b55e59669.30738.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-06-16 19:54:06 UTC

AV detection:

19 of 28 (67.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=jo3rrkaoa2bh46guq2euxx4nhuf6zc4omnc7m2dcoj3s7ucrckva._file

Verdict:

unknown

Similar samples:

0c1bcef20d27fcba66731194a160f82d40835654754401490d498ae05efa7a89

1329f4a460dbf4db253e62fe07c6a747d20b8dff8d739fde9033b16b778acf01

287aef092cebbe5022ffc0c7557abeab45c2f0225cbb231b0dad810c70e33b79

3a8916af9d3c560e4c96fb155bda3e08ad9add97c3bc963b364606ba2a559b16

54977a7a3a7a1136fab5517a277b715a88a768fb5fd8f13a818c8574575ea439

5b000eaf6c2018a58b08a6c3cf0e119597e20da8d6de977b973de2ce121b4ee4

64c03c4f1e488b05a2284a05abae677689881f3c02f365f0c078b94ff22eb6e0

c222cf8e45e1fa3f41b9c4215cef0d671693fe83e6a0a5964fde2e9504a38c5e

df96c7a1be5f1de392872bc6810f49e90700b192696201b943ee958c77c40f07

f0b3f2e5bfee0f37c39392331af6a27a89e03a077d9e8084f6c0a5ffb843b27d

+ 92 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware persistence keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-vtgq2hjhz6/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies service

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

rar 74bbf0319e10f5f0a05bff737cea3abe886716b362240ae31e3ae313bd5036c2

exe 4bb718a80e06827e78d486894bdf8d3d0bec8b8e6345f6686272772fd05112aa

(this sample)

Dropped by

MD5 e833a494a24fecfa651baa92bb4a38a4

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 74bbf0319e10f5f0a05bff737cea3abe886716b362240ae31e3ae313bd5036c2

Cape

Cape

https://www.capesandbox.com/analysis/11077/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample