MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67819aacac4994b55659a8f7924ec0384e667ee74fe5b431a731ac5baf69448c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67819aacac4994b55659a8f7924ec0384e667ee74fe5b431a731ac5baf69448c
SHA3-384 hash: 110c3fadcebffedcfe9b861bdec8d71b0e4b3e8417e18030095f31b2931fbf1aeef5c4da9542f339a1cdbebf931efb14
SHA1 hash: fd399b3d85388b44a9e7ab21eb0131f0498364bb
MD5 hash: e06836b92d0549a209b5fdc76478ed5e
humanhash: berlin-lactose-north-kansas
File name:Order_8383747_list.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:506'368 bytes
First seen:2020-06-02 19:14:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:3n/h+xMVYYPXOmcUTQ6+PvzaxLqtp4GOSL9YOIk94o:3v2sXq6Oza+AG
Threatray 10'633 similar samples on MalwareBazaar
TLSH 86B4F1DD725972EFC85BC472CE595CB8BA5074BA530F8213A02760AD9E4C987CF285F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zimbra207.megavelocity.net
Sending IP: 192.206.6.182
From: support-IN <support@budget1.in>
Subject: Pallex PO A014758760_ITALY.
Attachment: Pallex PO A014758760_ITALY.rar (contains "Order_8383747_list.pdf.exe")

AgentTesla SMTP exfil server:
premium57.web-hosting.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-02 19:35:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
29 of 48 (60.42%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6azvlfmjgklkvszvd3zetwahbhgm7xhj7s3imnhggwfxl3jisga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
102cd8a7207ae8f27f844ffbb51eb18a95ba3f6647aa2b2d7031dd3000ff225c
AgentTesla
1dc42296af9ef7fa6fb9f894947b9547b964ff2926894bb2b52a09283b7a4b60
AgentTesla
4119ad71f4f0b90b51e983fdf38008b853ebdfd0db175704d59fcbbc2adb8cda
AgentTesla
423c8c0b4eb6fc15b614326190cbd2b932f5480fdc1791ca9c03dc696ef61b31
AgentTesla
640e087a78aa77a9bb49027500f1f29f9d31f5b64c13c99b690ea813d0737fd4
AgentTesla
71146568c5f7e1bc849a6f73bf08ba68c14e73fcaf049da083879f15a2cecc44
AgentTesla
8a463f15c830e566292963bf3473b16288e71350e97d84359499fd33b7329a66
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
d3168e892cc0eac2e010fa380fd64aae8c55acddb06344b543a6fb0cc05e8dd3
AgentTesla
e651957af4c527f8a23f8c3094232c887e2a433974ab54e48e2519e8361809a6
AgentTesla
+ 10'623 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-lh64xcmwsx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 80d4005825aed4efeec53e69e8410b92d7867e4c7b229d1d959065ea2451a295

AgentTesla

Executable exe 67819aacac4994b55659a8f7924ec0384e667ee74fe5b431a731ac5baf69448c

(this sample)

  
Dropped by
MD5 758b99c1fa2ddf118d29e1de5ee683fc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 80d4005825aed4efeec53e69e8410b92d7867e4c7b229d1d959065ea2451a295

Comments