MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 70d4115c7fc43c33f82043b27f1468a8993e050d6ef6d404e92db15d288f1242. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 70d4115c7fc43c33f82043b27f1468a8993e050d6ef6d404e92db15d288f1242
SHA3-384 hash: 7c8e69c5b9d31d2e3d408815208a7d7610e026ab1474f339c2899e77811099dda19d1ca6e703c7b8e523ecde1d260313
SHA1 hash: 1e428b60b6d8af31d11989c97a8f1d2b5c258e18
MD5 hash: 308cfda2ec69b3b947c9103815160cd9
humanhash: high-mango-uniform-three
File name:Purchase Order .pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:470'528 bytes
First seen:2020-05-08 07:42:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:jl3KNYLwBws/4FUYUBMGzHkYsv81t2WnV+bAiHXg:jeoFhUr1t2WW
Threatray 10'721 similar samples on MalwareBazaar
TLSH FDA4E1483A9C32BED02BDB7199E1AC70DB613167B347E32A485315894ADEF85CE10DB7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zimbra129-ind.megavelocity.net
Sending IP: 103.205.64.74
From: Credit Manager<kvnalin@amritcorp.com>
Subject: Request For Quotation
Attachment: Purchase Order .pdf.z (contains "Purchase Order .pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.48519.18764.15688.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-08 08:39:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
27 of 31 (87.10%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=odkbcxd7yq6dh6baiozh6fdivcmt4binn33nibhjfwyv2kepcjba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14adf4dd13033d8ed032a7ebd489a056752df681ec958d92b92d8776d0387f7e
AgentTesla
31de84180c22ca65bc34ba7c57f9a89072332de81061111c9cfe118252d52713
AgentTesla
48cb0c4fdfb4205cb6453b225e6b0d52a0eaff3dec5d500d9b781e716fd4c394
AgentTesla
54cc594af291b63a7aa81a925ff2e240826e0a476cc32bdda8ef21791f87a2b2
AgentTesla
657c3aaed9651d4b1a9ad24a142153b920193ea3a73f117766808d5718a5b12b
AgentTesla
723071d4e54bdfd50d7ca47b02f67ea70aa59ddffbab36d8dbc5eadfd4b799be
AgentTesla
9f124b201243a16323689f45e0faacac2ed9f77f748b0b69045fea2c3acfaa72
AgentTesla
aef64c6cd279ba042b259ab95a0387609e76ad490e0bb07244779845589b8626
AgentTesla
e2b96f7379e5de46a80eee8f12fe8971a9c4f596c7a783eff9c3013ddeb0ad6f
AgentTesla
f7169aa58adbe12a7065383c75d9413cfd0480c8969c669d58b09821389c0f90
AgentTesla
+ 10'711 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-2hax9q7spj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z e1a4dc1b857a71ca0a5020f661c1e02a86cbc28620caf0f83a019ed10b1dd6da

AgentTesla

Executable exe 70d4115c7fc43c33f82043b27f1468a8993e050d6ef6d404e92db15d288f1242

(this sample)

  
Dropped by
MD5 d4013f42b4871e6c7e2b3d5f94dc6010
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e1a4dc1b857a71ca0a5020f661c1e02a86cbc28620caf0f83a019ed10b1dd6da

Comments