MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c26d9cbfa013795a0f2449f5a8c5bf3c880d4292d6ee2218f7a0520aff6b1ac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c26d9cbfa013795a0f2449f5a8c5bf3c880d4292d6ee2218f7a0520aff6b1ac
SHA3-384 hash: 0aa20400b1d46874ae958d130407b07eb364606030927ceb5699fa5def50edd7b359b4e887f6b8abf87379ace5bb117a
SHA1 hash: bd54e195fb4c835b19e56438b1919c614ed5680b
MD5 hash: 19a770e6eb6a6e8ab855ff0b3b0d33dd
humanhash: carolina-winter-double-mountain
File name:DELIVERY DOCUMENT 7402853496_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:364'032 bytes
First seen:2020-06-09 05:57:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:ooxpPfDv2X0Het934tDAQT7VPUvTM5oBxuu94l+uAPxt:okjv2Pt9EDAQ9PaTMeBPa7APxt
Threatray 10'660 similar samples on MalwareBazaar
TLSH 8674F1887A5176CFC86FD0B2DDA82D68EAA070BB571BE217845355E9DE0C993CF040E7
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 45-138-132-30.derakhshanrah.com
Sending IP: 45.138.132.30
From: DHL EXPRESS <CUSTOMERSERVICE@DHL.COM>
Reply-To: DHL EXPRESS <soomla6384@yahoo.com>
Subject: DHL SHIPPING NOTIFICATION
Attachment: DELIVERY DOCUMENT 7402853496_pdf.rar (contains "DELIVERY DOCUMENT 7402853496_pdf.exe")

AgentTesla SMTP exfil server:
mail.citotest.co:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Mal.Generic-S.4754.25347.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-09 02:21:39 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqtnts72ae3zlihsispvvdc36peibvbjfvxoeimppicsbl7wwgwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
153a46afc5a3b15da6598ce740a8aef66570875659e706fd91d501978cf87e46
AgentTesla
28661e85795aec8e469e9000abc8e50f5ed65150e778f0547a837400fdecb468
AgentTesla
295559b328cede1f21d71c42a11421387faf9f552d2719f07d5fe8b9e755e0d9
AgentTesla
4cd234eb292c25936d72ccd7b844bd2ab2f351de46edd2aefbccc6f68d99eb38
AgentTesla
53e801de99fd2e86a91a912108b196c3f9567f6c7394fac6050861cd3b8777e2
AgentTesla
638ec465ca7f065abfb5ffd1f780aa64fca634ad91e6aa99a6d3d2fb7ffa149a
AgentTesla
8e25e9d853665fa11aa5c7e3bbf2cd3dbc594e2d12fd53924be0b8715eea41f1
AgentTesla
9b623e314a1bcb7ed32adcd0e67be581f3af809753667c6cfcad885e94d9d7ac
AgentTesla
c20f6ecb4af7977e715fbe9d26e1c15b0b82f784b3591286d666b940b1bc5d8c
AgentTesla
d334bea4c2d8e2cfc9bcafe46792c8b8f79f2689d81ef01754224c7257022764
AgentTesla
+ 10'650 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-nqp63tgs9x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ea8e45b85cd7c3fde39a8f17e7fc427e010bf75c39ada379ecca99ac511571d4

AgentTesla

Executable exe 4c26d9cbfa013795a0f2449f5a8c5bf3c880d4292d6ee2218f7a0520aff6b1ac

(this sample)

  
Dropped by
MD5 a92381735ced9b69c4017aabb0661a53
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ea8e45b85cd7c3fde39a8f17e7fc427e010bf75c39ada379ecca99ac511571d4

Comments