MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 64baf83c9b911fb05c284a8bb464c930d48ce9e50b8450d707bf78df0b169942. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 4 File information Comments

SHA256 hash:	64baf83c9b911fb05c284a8bb464c930d48ce9e50b8450d707bf78df0b169942
SHA3-384 hash:	1ac455ec54234ad838826c020d28d1a53ed98a9e96704d995c324380717420403241887a2a44ed0ce40785e244e6cfc1
SHA1 hash:	8b7193c4033b8e5ccee047d5abb010b985388d2a
MD5 hash:	04bb4ade2196168502a19cc89becea09
humanhash:	salami-nineteen-helium-tango
File name:	Invoice_Copies.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	459'776 bytes
First seen:	2020-06-03 06:33:00 UTC
Last seen:	2020-06-03 09:05:03 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:+ovABiSBfouNkZMkqMgEK2lh5DpnpytS7opGJquAHDXQe5crk9flW1MCYquvPV7:+ovRS5ouNmiMgCn5tpog2XQZMCI7
Threatray	10'669 similar samples on MalwareBazaar
TLSH	E7A4F01B39986D27CE6C88F5D4E2125247FBC2051692F7C9ECCB60DA26C6BF50912E4B
Reporter	sergedroz
Tags:	AgentTesla

sergedroz

From: Accounts Payable <accounts.payable@thesunsiyam.com>
To: HSBC <remitter903@hsbc.com>

Sender: srv1.demspor.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/366528

Behaviour

Behavior Graph:

n/a

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-03 06:35:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

26 of 48 (54.17%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ms5pqpe3sep3axbijkf3izgjgdkiz2pfbocfbvyhx54n6cywtfba._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4251133ebe04bf0de34a7a1972342c77442942a4c2417f28c56145b2ee9ad451

AgentTesla

57ac709fd6909469a9a42bf53e37a3bcde0b0b1b613e146423fe6f0fc7c5623c

AgentTesla

7e0ff16b703b28cbddcb1dbee887ecc563e6cbde9e39216924280436ad5dc588

AgentTesla

94fcc8c7fd53c5463c0d33d1f74b5c7c8c0ae95ef097477958acb9df1ae5a15e

AgentTesla

a014e0a743059e2028857df1f0440dc364c988f32100a5530a719f0339a0bf99

AgentTesla

c133315365e9f0824d0783e78b9cb01d54aba4067c73cb148ea795819b49825c

AgentTesla

d2a97ab97d0977567f4b2ee6ba659725fc82e9d4fbdf293b5f2bed5152d40af5

AgentTesla

dd780d46887a6d0abe23b50529aab25de2a5ed452ae9feba3dfbe3e6cdff7c22

AgentTesla

ea2e7ec387cf91e0ad3d44c01b25adc702061e93b66d21f8b3dd1eab812045f9

AgentTesla

+ 10'659 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-axfe9zhhcn/

Behaviour

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 64baf83c9b911fb05c284a8bb464c930d48ce9e50b8450d707bf78df0b169942

(this sample)

Joe Sandbox

https://www.joesandbox.com/analysis/235214/0/html

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample