MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67b1723f20d7b740972a952dbe845536defe359e8cd44869347112f63bf690de. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67b1723f20d7b740972a952dbe845536defe359e8cd44869347112f63bf690de
SHA3-384 hash: e40235449aaea1ce9ede7e018aec0ffe3187301ee524228bf8c4a8b7ae96e0b1b9a29421dfa5c89762721ef8d4c8fe2c
SHA1 hash: 83bf35d817f6ce2e848c233082427e05c19e9b8f
MD5 hash: 21f49766fbbe896147a42ff1066a4e04
humanhash: nine-helium-west-carpet
File name:End-User Shipment Docs_Eval-MV-MARY#0001983999190.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'419'264 bytes
First seen:2020-06-16 06:13:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:OAHnh+eWsN3skA4RV1Hom2KXMmHaSsaBNS0rwHo7MRsLB0grTE6aO36u5:5h+ZkldoPK8YaSsaBNdrwUMRkB08Bv
Threatray 11'117 similar samples on MalwareBazaar
TLSH 8365CE0273D1C032FFABA2739B6AF64556BC79254123852F13981DB9BD701B2263E763
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.anchinfotech.com
Sending IP: 192.163.233.90
From: Mark E. Ocampo <import@tici.com.ph>
Subject: RE: AW: TH MARTIN 2486 MV Grace Previous shipment Documents / Arrival Notify
Attachment: End-User Shipment Docs_Eval-MV-MARY0001983999190.r00 (contains "End-User Shipment Docs_Eval-MV-MARY#0001983999190.exe")

AgentTesla SMTP exfil server:
mail.gcs.co.in:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10632/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 06:15:14 UTC
AV detection:
26 of 28 (92.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6yxepza263ubfzksuw35bcvg3pp4nm6rtkeq2juoejpmo7wsdpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3945669106668a82fcc127f418ea0b028c8d73057b4b1715bb296627901023b0
AgentTesla
398377f9ae0ed71b8942752ae63497e1a4a6535523d3755d0a2a1d0c439fd9d9
AgentTesla
9e8fd0aec01915f1668775c6d85cf1c0ba32c20b9f2cfe37afb506720e6d66dc
AgentTesla
a096be37bf968ab3dca1b64d485a191cf7bdc502a2d816d20e105ca7f3fdc701
AgentTesla
aafabbc33c3dcab75195c0a68e244c0b65043fd2fb966e8e66c46f76a1fca7dd
AgentTesla
b9457b508677dbfe250a6a41a890d921e9bdcab9c8112bd86837d2eecff05f4b
AgentTesla
bfd48afd0b518be91820b2d431b4499699358e50bd0d23b9c78c476bf0783a11
AgentTesla
c72bce28d1e0909a66971dfa01aa823b767a73da5cedc0679e962dc9230fdf56
AgentTesla
e4d7c1e05b2a55ebc758e7f66c3828b66eaf586d9ab648a189cf294a9fb45eb3
AgentTesla
f773cd5390003e190f79f0ce0f26b95513f2f4d78d4e5f6334515c44631e0a07
AgentTesla
+ 11'107 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-xw5x9tvz7n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 f1489694b5b16a1bb1a0188322b1b41e9684925fe2a2862bbf4a5fe8d7961573

AgentTesla

Executable exe 67b1723f20d7b740972a952dbe845536defe359e8cd44869347112f63bf690de

(this sample)

  
Dropped by
MD5 4b7821f94367782eeff85c8006aaf796
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f1489694b5b16a1bb1a0188322b1b41e9684925fe2a2862bbf4a5fe8d7961573
Cape
Cape
https://www.capesandbox.com/analysis/10632/

Comments