MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 647ed4118aa8015f145cab92b15b53dee0dd928f7b3493d138696a5e28a201ce. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	647ed4118aa8015f145cab92b15b53dee0dd928f7b3493d138696a5e28a201ce
SHA3-384 hash:	cb7db64775640bd9189190f394dc90f54023213217319f750dab31d032002628f5906970289cdc7f023ffda079267af7
SHA1 hash:	6f300f2a43c60690134fea10b24532cd60c7be13
MD5 hash:	e356d2d61abc2768e39f0aac3a205137
humanhash:	oklahoma-black-crazy-cardinal
File name:	PO#VBO5678903442244_png.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	589'824 bytes
First seen:	2020-06-14 07:17:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:yU8hv68+61UwSgGCng/H/SF1qwTwEC01S7piBxenxTkqR48iiJ3iX:Wv68+FtKF1pTwK1S7pXc81J3iX
Threatray	8'305 similar samples on MalwareBazaar
TLSH	C4C4BF98754071DEC82BCEB298A91C209B517C67932BC307644736EC5E3E6E7DE129E3
Reporter	abuse_ch
Tags:	AgentTesla scr

abuse_ch

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

72

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/10148/

Gathering data

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-06-14 07:19:03 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mr7niemkvaav6fc4vojlcw2t33qn3euppm2jhujynfvf4kfcahha._file

Verdict:

malicious

Similar samples:

068913ee71c4db45fb45023abde33d4db5b7f937bcefe052da0146c8b777848f

1d2a780d54c81fa2a4990bce7f008d8a1445ee1a47ea40db306dad6994285845

268ea227f9a30b6221814ba9efe354f2ab07607b6273c8b51fb33d19aa332295

6a47bf03b1ffebac3ef5497af7d67aa562f3c401c3694d8551f7092f7f469313

7372e91ca331f6ae841f5251de3ee8d34084f96cd089c8d56b8a600767d76a16

7d16317ca81889aab8d6d82440ab0fb2375d4ef7747f2b1d77936fd79141ba77

8447de07af7d5976fca9d1df317d72489dc735fd0fd571d6df0fee9d43cd0448

8a1996e7954954071c7744530ef5a31a93ee9ff5cce447611f622f88718ab1b4

b12752a638275e30869b256d2a7b0d6576e7eaa4b8f062d1e1e530a1a23d0736

bf04f6a3d759b9ce48f004cc8667d1b30b97451bcef767932fa6cbdd96ce87e9

+ 8'295 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-het9zjhzt6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

ServiceHost packer

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

exe 647ed4118aa8015f145cab92b15b53dee0dd928f7b3493d138696a5e28a201ce

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/10148/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample