MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 63f6b1b60bad01e24355ba56b1ffee392c87858a40ecd14d76e51ebe7c3333d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 63f6b1b60bad01e24355ba56b1ffee392c87858a40ecd14d76e51ebe7c3333d1
SHA3-384 hash: 8c2575e021df5703c6a790be40fd7ee95d4cd1d97f9239224aa45011ce8808fc5bebd3647dda7762d0b5167dc8b6c458
SHA1 hash: c26488f16ee85d666588367fae928052b72ebef3
MD5 hash: 6d1e358e0b4c6e9a1aa67de5a93f93c1
humanhash: sweet-india-mountain-north
File name:RFQ 2020_06_10_PFF01.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:446'464 bytes
First seen:2020-06-10 07:43:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 713f097e626243ee8d8a433eba0b590e (2 x AgentTesla, 1 x MassLogger)
ssdeep 6144:NysC0zCeQDLqPpC2P40FhQvMBYqj8KYpyfMpoegcozmiKGDdht/:NfGPUpC2tR8KYpy3egcQVDdL/
Threatray 798 similar samples on MalwareBazaar
TLSH 099419ED7A61C3B0F80540313CA99889925DFD7B649D405AF7C97BA13F3064FA8A0B97
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sarana.benvors.com
Sending IP: 45.64.97.68
From: 김진선 <jskim84@kmou.ac.kr>
Reply-To: jskim84.kmou.ac.kr@gmx.com
Subject: RFQ 2020_06_10_PFF00
Attachment: RFQ 2020_06_10_PFF00.z (contains "RFQ 2020_06_10_PFF01.pdf.exe")

AgentTesla SMTP exfil server:
mail.kteadubai.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 07:45:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mp3ldnqlvua6eq2vxjlld77ohewipbmkidwnctlw4upl47btgpiq._file
Verdict:
malicious
Label(s):
azorult
Create hunting rule
Similar samples:
009408ca7bf5c48fc1140cbe594f1461defd77206be643e1f9bd548986ad636c
AgentTesla
1d452b5f3e5d2b6623d0ca35793dfc051e1bf8b237e360906ed055e819235604
AgentTesla
371b9214f60a70c81ec1756d284e8028ff7603498341ecb7fa5cc09f3b10043e
AgentTesla
39c531db99d46a4b3906a41e6e1afdb2523106c795b11eecaf75bc3a1fbff57b
AgentTesla
519f100ddc98cfb9aca3e13c0095bddeadf11c50397096953171d042ca376fbd
AgentTesla
77839da1c15d6390080afe07320af399a007d5b69bf4fcdf63fc71e795929cf7
AgentTesla
831ba6efa4a49eb1c7ff749fe442b393c5a614f383bf1efb52512a183b4362fc
AgentTesla
a0fd9cf6002a8f7503dd47682be0dca44ffb66157c910ada1ffc360c2d7d70a6
AgentTesla
cf813a86d30ddd0c2ca59f73334fffd241bfd31eddfe30dc2e73d5b29ae752d1
AgentTesla
e25b667d727278544032a0553b0ce93d6634f27be4c5abb8b7f103337bc683e2
AgentTesla
+ 788 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-9r4d3p932x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 1800e1482166c648c3cb25c4f1790af2a2052fb0ee148263b28b80fe137b75d4

AgentTesla

Executable exe 63f6b1b60bad01e24355ba56b1ffee392c87858a40ecd14d76e51ebe7c3333d1

(this sample)

  
Dropped by
MD5 8f900d71e1105a0c7c94d2c36cd65307
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1800e1482166c648c3cb25c4f1790af2a2052fb0ee148263b28b80fe137b75d4

Comments