MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 57ca03ed071c9f56f18c5523cb51ed1244156a2557ff6afb751da95eb5d6f653. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 57ca03ed071c9f56f18c5523cb51ed1244156a2557ff6afb751da95eb5d6f653
SHA3-384 hash: 2ac8d98615309f1a9b9614b4893733d4737d6791faf614854bdcfff9095d18d692989c88848589136058c4fac63555a3
SHA1 hash: 342f52842511c56b943728efd665a32d24da1163
MD5 hash: 062cf33e71abe6d9453545c2ed12086e
humanhash: october-jupiter-coffee-happy
File name:Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:462'336 bytes
First seen:2020-05-28 14:43:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:T1OK5xY+URqcJdTXH0s6oVeXvYqWxZO/NenALz:A+URq8H9eeAL
Threatray 10'567 similar samples on MalwareBazaar
TLSH 35A4F24123A84F33E8BE87FE44A1550187F5152B7912F38CADE7E2E6176BF024661E93
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: jdclnc.com
Sending IP: 84.38.130.163
From: wall@jdclnc.com
Subject: Re: Invoice
Attachment: Invoice.7z (contains "Invoice.exe")

AgentTesla SMTP exfil server:
montana.co.ke:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.1469.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 15:01:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
16 of 31 (51.61%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f6ebc0016da851a5c48bfe7ce83697344353c84ae5ace666225f8742b30aafc
AgentTesla
3b41434cac030dea85082658f577f7cf7821dfc36c8e0ba8975fb915030e38db
AgentTesla
4692f4e0ec2163456ca3eb3a20625b55a31601e00b35f2ac96ecadc927ae3969
AgentTesla
4dc1a8739a91b1de60bd63bf9d9f0a8c4619133ceb0c22e6559cdceecaf69086
AgentTesla
638e2506675b6963358990b817617b7269f31521a9a4ffb6745bfcbfc6366034
AgentTesla
6ae239d55a04fc135b9ed665b8e8ad720672eca86f5b76a441da1e155ac755ad
AgentTesla
90ee716f9f3201df256aebb21729e5ddda6d832424af3794756104ecd0866cb9
AgentTesla
e3bfc6f40176d8546ae975991ee2fb59980cac07fecbfb273b2a8b51b33a3713
AgentTesla
e87994afd28861ccd7589912ec2fdd5193585fea926b8842bbc7aeb08f647799
AgentTesla
ebac52b6385e39a11c6aaae7287b22f00a089f4f1037b0be8d3fc3a4e32dfe98
AgentTesla
+ 10'557 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-kc8aj17f2n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies system certificate store
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 8aa8e1a27decb01a3b179385bb9d008be6b43c8f8b7cfe76cea54da786fa3646

AgentTesla

Executable exe 57ca03ed071c9f56f18c5523cb51ed1244156a2557ff6afb751da95eb5d6f653

(this sample)

  
Dropped by
MD5 0f28e64d3cbd8c56395f024d6b72550f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 8aa8e1a27decb01a3b179385bb9d008be6b43c8f8b7cfe76cea54da786fa3646

Comments