MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7
SHA3-384 hash: d49659a9d9238ad952212a1c320e914bce65a22b46bb0f873c44bee3c644691fda28628ee8200f21b76d517fea1cfc8e
SHA1 hash: 4580b0268fe95f9f8c228c39c471983e607d61fd
MD5 hash: 01d990c6411e9f8ab85888231a7e4417
humanhash: november-lake-blossom-blue
File name:INVOICE24399.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:428'544 bytes
First seen:2020-07-08 06:56:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 4fd7524a853fa06847a229c4ee1aa228 (4 x AgentTesla, 2 x Loki)
ssdeep 12288:ZbvqyLTFdcd/g0jDKgQBh+dnV14w91WE0XQ:Z+ylKdgGegJdnX4iWjXQ
Threatray 11'131 similar samples on MalwareBazaar
TLSH 99942320DFE45ABAE1180C730D071F911718E8195F5C2BA24FD3EDAD7CB2BD66E9610A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mx-s1.vivawebhost.com
Sending IP: 174.136.29.40
From: tassia@haltons.co.ke
Reply-To: lambertchan12@gmail.com
Subject: INVOICE
Attachment: INVOICE24399.pdf.XZ (contains "INVOICE24399.pdf.exe")

AgentTesla SMTP exfil server:
smtp.mail.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22895/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching a service
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 06:58:08 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ou5rh6ach4eq44cnz6i3n2kdbkssva5m3xgoarry7f4lxti7b7dq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
2409f04509b447f04121091d6b20dde5291413f155de031ef7e306c736ed9242
AgentTesla
59dcd83a970ad6a06178eca59bd9c3bf0e7911af14bd2e0d706b060d8801ed0b
AgentTesla
6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
9a99082664fba770485b23172f61bdd349863e9803d7a01170e1839026c6a0fb
AgentTesla
a62a90789d488d851050ad121400c40bdcbad55ff7acedca829edff301b0342d
AgentTesla
b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8
AgentTesla
ca0b556ff44259aacea1061aec8f026cca87dd2f8e786349ce312cbc4f8690db
AgentTesla
ca3c1be826d1b96990a9b309a123152deeb2553cff8e21dca04bac645f154628
AgentTesla
faa14b162487c010a973901cb7a91e48c512b0193fd449be475f94c32b0ff212
AgentTesla
+ 11'121 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200708-2k5yq9wrr6/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

8b356868ad95c86eabf7079110088af2

AgentTesla

Executable exe 753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7

(this sample)

  
Dropped by
MD5 8b356868ad95c86eabf7079110088af2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22895/

Comments