MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51e016d7614461f51389151f4dce30de7db0945f781b4d7d6ec6ab1ef97935fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51e016d7614461f51389151f4dce30de7db0945f781b4d7d6ec6ab1ef97935fa
SHA3-384 hash: 9ec0967c0cc9c871ce67c486ca8552d728f58e869ca4ddb991cc929aed7ad404470a91c59d510c30cf4ffac5fcfb0770
SHA1 hash: 1b418d57105690110b99ee6a52debef159512713
MD5 hash: aa488760f74cdffa5065895a9d4e16c9
humanhash: september-yellow-golf-gee
File name:PRODUCT LIST FOR MID JULY PURCHASE - 20200708.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:741'888 bytes
First seen:2020-07-09 14:29:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:X0OsfmhkKICZt+GhqfTNWuzNQ/pOacTaulCSRO6zOSgngI:CO2KICSGhqfTNGOLTESRL
Threatray 11'324 similar samples on MalwareBazaar
TLSH 38F48D323F99DC37D06A8EF9E0422254FE75CD4B8D97CA84C9BD229AC4B1FD07805669
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: m97144.mail.qiye.163.com
Sending IP: 220.181.97.144
From: Amy Zhang <sales@oppel-lighting.com>
Subject: Re: Quotation-20200708
Attachment: Products List for Quotation.rar (contains "PRODUCT LIST FOR MID JULY PURCHASE - 20200708.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23912/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/51e016d7614461f51389151f4dce30de7db0945f781b4d7d6ec6ab1ef97935fa/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 14:31:05 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=khqbnv3birq7ke4jcupu3trq3z63bfc7panu27loy2vr56lzgx5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1aeebb408f994fab29b26a81576cbd195faf9d4a1e0ef4c299e38b970e43de2c
AgentTesla
1c2f10aaf4e8b9a9e90316e8b470616bac893609cd85374cb11bb4a1a3971e5b
AgentTesla
3ca89270a1e4ae27056087ab556bdadd89ba1ab27b505afa53a812c5f2acabc8
AgentTesla
4ff6913b35226527d4bb0bd458d326ad3d1bdd50b90aaac6d4eae1f7f43922c1
AgentTesla
775cbf86bee09ee9b8024f2d8da2ce47cbfc29d2a907df7387bc87fbfae40dcd
AgentTesla
7d3068aff051388b3332905ca9a26a10a1cd96441e3be9d908cd839088cc9d65
AgentTesla
997de5ed7182657e00985a8b1e5f91656a8d7ad171c504780c5edbdda5fd5835
AgentTesla
b3f42f7a9747edcd9d13cab3d0a41b3e0d3cde5a5548f5328b5fcf2f3e068d85
AgentTesla
b5cc8b2d62e6c2d6a9bf080c4c41e19295af7dae7230a63b7f6ad8def08e7ea2
AgentTesla
c4031838bc163076ff2845546cad4c409d9cec8a2100d78d4ea1ea75579f7c37
AgentTesla
+ 11'314 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware
Link:
https://tria.ge/reports/200709-sv38v8kzan/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Modifies registry key
Modifies registry key
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 377a96190206fd1808c1e1e473141be3d55c402f926afd39c7bbde013a0a3f1e

AgentTesla

Executable exe 51e016d7614461f51389151f4dce30de7db0945f781b4d7d6ec6ab1ef97935fa

(this sample)

  
Dropped by
MD5 07a5765bd01b7d6802a869eeb01a78fa
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 377a96190206fd1808c1e1e473141be3d55c402f926afd39c7bbde013a0a3f1e
Cape
Cape
https://www.capesandbox.com/analysis/23912/

Comments