MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 73ca66b7ce5b07be4061ad3290efc71a914d9826c534c328c9a7e25a13832de0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 73ca66b7ce5b07be4061ad3290efc71a914d9826c534c328c9a7e25a13832de0
SHA3-384 hash: da53bb719b784907eaebdc4c5dcb62efd9523f9226395d25f6077e1f01b8e207372ce306597902107b834f519c553fc1
SHA1 hash: 75d900c6c9e377a883662cf709be448e331f95f3
MD5 hash: 75898639117f3a3d699ff3ed0d9d2a8c
humanhash: fillet-burger-leopard-minnesota
File name:STATEMENT OF ACCOUNT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:688'128 bytes
First seen:2020-05-21 15:49:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e7469bf17b9fb883eded4ceca68acb1 (5 x AgentTesla, 1 x FormBook)
ssdeep 12288:XSCgJ+D+QYBSoSEjaShXc5inDXIL5rZSHl0adTnH2hjf4ll/tbJC:i1dQMthekQrZ4vTWhbYU
Threatray 11'738 similar samples on MalwareBazaar
TLSH ADE4BF22E6A0443FC123167D9DDBD76C583ABE113928694A7BE51D4C6F38281782FED3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps32368.inmotionhosting.com
Sending IP: 104.247.78.88
From: leenap@jamesrbaker.com
Subject: STATEMENT OF ACCOUNT
Attachment: STATEMENT OF ACCOUNT.iso (contains "STATEMENT OF ACCOUNT.exe")

AgentTesla SMTP exfil server:
smtp.pmdpharmatec.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Packer.BorlandDelphi-15
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.24267.5419.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-21 16:22:06 UTC
File Type:
PE (Exe)
Extracted files:
264
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
37d7cd08ca91dc9962cfd418aafc0d115b954ee72c181feaf7d986c1f56b26a7
AgentTesla
490a783bc399cb6dd9b64ecc8d0f909830fe1a351d18f148493fcdf6eefb52cd
AgentTesla
4aa9d9d468bbc5dca730ec755dbdf56fd2e3289b8cf3bde2bddc53881ca5c696
AgentTesla
6979a4bd390d6bf55225b6b4e5136a633502273812e1be5269e06318f778100a
AgentTesla
86acfdc1c2054a8a0166bcdda996b2d200519b5b9110b1bdec8e3f8318a4fc06
AgentTesla
890be95e80abe228a943aad583f5463da9b56f6191c0672fe3bacbbc2b67402b
AgentTesla
a45f5e600fa725b5e88d25aa9bed151147cc53a1be11ae02e9c1ea8dbfc13118
AgentTesla
bb94a881c3aa20c54450ee7d907eae152aa667a7a3280f7b00b44051d92322f5
AgentTesla
e56eb74588cbb6e02dd9ddbd860276840b8d89c8d46b3cd7b5299549001c29e7
AgentTesla
+ 11'728 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-2lqy44ykma/
Behaviour
Modifies registry key
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 4b0aa26d8ba651e247f3431824a4df3a7caa2a5adf1b3e495cd389b7cb908243

AgentTesla

Executable exe 73ca66b7ce5b07be4061ad3290efc71a914d9826c534c328c9a7e25a13832de0

(this sample)

  
Dropped by
MD5 dedda64a4f1daba74992d05ef8963dc4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4b0aa26d8ba651e247f3431824a4df3a7caa2a5adf1b3e495cd389b7cb908243

Comments