MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 600c314a52d8bb7cbf7ed06ffe13ac5c34cdf4013ecedaec166b0d1a7ec6de0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 600c314a52d8bb7cbf7ed06ffe13ac5c34cdf4013ecedaec166b0d1a7ec6de0d
SHA3-384 hash: 02d0bca4728349ba34c0ab4e2b911db6e5c61ff528c5213008bad53a447b6eded825f56b138eff0905c14a13fa789ab8
SHA1 hash: eff1cbbd8a023fe8768c581cf9ba8ddcc79d351e
MD5 hash: 42c424a8130c913f8d0ab3bafa63e79a
humanhash: harry-india-skylark-alabama
File name:Payment Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:545'280 bytes
First seen:2020-08-18 11:42:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9MU4kAaBcY1FmCeCMHtyCtpdlMFx79QXvVv3+P9fkUL4EcmZHAFaxmVmie9bngPK:9Lu1Ht3tHSH7sv5MkUL4EcmZHAFaxmVr
Threatray 9'912 similar samples on MalwareBazaar
TLSH B7C4F15C34A4F1AFE5ED8DB9EC645C3453617327420BFE078D53A5E0A7C9AEA9E000A7
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: eagle266.startdedicated.com
Sending IP: 69.64.39.14
From: HSBC remittance Service <payment-advice@hsbc.com>
Subject: Fw:Re: Payment Advice
Attachment: Payment Copy.iso (contains "Payment Copy.exe")

AgentTesla SMTP exfil server:
smtp.pengteh.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47749/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/600c314a52d8bb7cbf7ed06ffe13ac5c34cdf4013ecedaec166b0d1a7ec6de0d/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 11:44:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=magdcsss3c5xzp362bx74e5mlq2m35abh3hnv3awnmgru7wg3ygq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04cfd305f0d352144e6063af7ca62241127142e7f67e079b78ce10f95e33d29e
AgentTesla
0ca8c0c5ebf25e694725d965acf1d3db4a299c633fd895ea6f2dab80082d7337
AgentTesla
10167fec5a00f7ee3805a502684ca59887be73bc350946a0f7989080e06859d8
AgentTesla
51868d20e4a12a9c843de2e2265cd8fc72577d511d73a5451e8b891654e546bf
AgentTesla
66a821494ff2c4e9d5dbe663572f4f46df6993b0a661a29cd4a3da18414b9527
AgentTesla
6c7624c020bb11d5803286dc0fc1d9ee44d21be97207573051bcd322091a731b
AgentTesla
a1b6b0738cd107907d5424d385b9471ebac0abcef1d2f7febd2762d69d39eeff
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
e3e667f5f3f179990bcb4616c8e5d56eeb8399bd867799c4bc68fac82c9b0a0f
AgentTesla
f6b1d589dc64f831e1c8e5dda0de1a711aa909ec29c86a7471ae04471ae8bc5f
AgentTesla
+ 9'902 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-jlerhh5l2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 54017f72cc03e26e23e48e493530385f8c802b965497f80fafeef1578cfd3a3d

AgentTesla

Executable exe 600c314a52d8bb7cbf7ed06ffe13ac5c34cdf4013ecedaec166b0d1a7ec6de0d

(this sample)

  
Dropped by
MD5 bb02d23707906c72fe106c00adc24452
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47749/
  
Dropped by
SHA256 54017f72cc03e26e23e48e493530385f8c802b965497f80fafeef1578cfd3a3d

Comments