MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd
SHA3-384 hash: 7da1d5d7eb786244a30346a2be41bb5cd64ff58c06af4bf69cde35ec303b7f31ee69f023b95efcabd4834b5f1f8c79ed
SHA1 hash: 4278098abed040fb48f5331e55423d98f335d406
MD5 hash: 52c543ad20bb81f1cecc7fb1d8ca7e8a
humanhash: september-bacon-alanine-apart
File name:revise pos.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:454'656 bytes
First seen:2020-07-07 09:00:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 04726b68348c0c3cf827797a9f6695eb (10 x AgentTesla, 1 x Loki, 1 x 404Keylogger)
ssdeep 12288:Y4p4rqo6AW98JN3MS57jlX68BsGLXw64xLo78gvFjxptcam:YBm8mFS57jlXSGLXwj9oYgtjxpL
Threatray 11'031 similar samples on MalwareBazaar
TLSH 86A412B2CF0A9831C2681DB349475FB412A8B063355E7B532B4ECD59F9B7453B980A1F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: Purchase Manager <marketing@majbootmhe.com>
Reply-To: Purchase Manager. <marketing@majbootmhe.com>
Subject: Revise Pos - Break up details!!!
Attachment: revise pos.pdf.zip (contains "revise pos.pdf.exe")

AgentTesla SMTP exfil server:
smtp.mail.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22101/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching a service
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 09:02:10 UTC
AV detection:
22 of 25 (88.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nau5b7ncsr76ifvvizu3hp5agaqofmmr6qjcsl23njj2xnryxt6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
59dcd83a970ad6a06178eca59bd9c3bf0e7911af14bd2e0d706b060d8801ed0b
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7
AgentTesla
7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953
AgentTesla
9a99082664fba770485b23172f61bdd349863e9803d7a01170e1839026c6a0fb
AgentTesla
a62a90789d488d851050ad121400c40bdcbad55ff7acedca829edff301b0342d
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8
AgentTesla
ca0b556ff44259aacea1061aec8f026cca87dd2f8e786349ce312cbc4f8690db
AgentTesla
+ 11'021 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-zbnh5zp5sn/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 05954232357b98d634ff3e9f30a5a8cd9db26355d0debc00bf3f6ca192c84749

AgentTesla

Executable exe 6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd

(this sample)

  
Dropped by
MD5 d3d0885decb45d79cb82779e791063a4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22101/
  
Dropped by
SHA256 05954232357b98d634ff3e9f30a5a8cd9db26355d0debc00bf3f6ca192c84749

Comments