MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 75ef91b36f46cb8875ffaa6af3cb7f38f8689ee9c16e50f9af87966a2648962f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 75ef91b36f46cb8875ffaa6af3cb7f38f8689ee9c16e50f9af87966a2648962f
SHA3-384 hash: beacb50d87d5d57acf8ea0f42ba0a9f9d5249e0dee00a5ab2b6dc7180834ca3f431bab99c8ff7f609fdefb9381d475f2
SHA1 hash: 279ddfc2e6e68aec5ca31c3c55af72573aed7632
MD5 hash: 73f62e274a1ca83359a980d1fdb5ba01
humanhash: spring-double-triple-alaska
File name:RFQ-May Project-6217 CK.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:431'616 bytes
First seen:2020-05-28 07:40:31 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SqbUvhZEKiZ9KMkSSx9TDU6pc39tjYDVZSfEXpFTsIzz:SqcZR5Mkf95pXSqFTTz
Threatray 10'786 similar samples on MalwareBazaar
TLSH 6494C01D93C88DA4D69943366ADCF12FD6B499232143C33FBB643A8CE446BC18D966CD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: [209.58.149.66]
Sending IP: 209.58.149.66
From: Ahmed Rahman<info@ccco-jo.com>
Subject: RFQ-MAY-PROJECT -4217
Attachment: RFQ-May Project-6217 CK.gz (contains "RFQ-May Project-6217 CK.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VXU.15319.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-28 08:34:39 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 31 (67.74%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
29f5b55f3ebf6dcd373d0e29a1eb271cf073d58a1e9e8a79cbfc5412a427c0d1
AgentTesla
2dc17476d3fd11bd7a844bf4e4f5b96b0784ce7d3376b8b8b02d408a4edbd772
AgentTesla
385d2aecc243498ba82e78d7c8b539aedf909e781496a320463d2dcba77a40bf
AgentTesla
4475f56105151bc2c1e47f372e9917a6c5eb1e75cf6ba62d66822725e9b3cd2d
AgentTesla
6571a6a2f8b29ed6ff0f9df04eb1081d339d76f81f3e1cf83245f7d1485907cc
AgentTesla
832356bca6bf9614fbae4ca6058fcb9eef76689657a0dfcaeaf32f28ecf0c24e
AgentTesla
92891933f5cd5e261f775149ca28b09ac1470b28a5d42d533ab5ed1712c18229
AgentTesla
ccac5881ca9beeead13f5c7f05b289e9d3013a9eea7ce8a087dcb0aade9a60e2
AgentTesla
e24ab81af3c1180cca15f762c2f6c4ac5807d73fcd93adf8a0ac5af4cd16db02
AgentTesla
f57973fe9b7144fd299f70cc04bcde1e442f6816de323361f1b09cb63c4e41b4
AgentTesla
+ 10'776 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-mcceganmqx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Warp
Create hunting rule
Author:Seth Hardy
Description:Warp
Rule name:WarpStrings
Create hunting rule
Author:Seth Hardy
Description:Warp Identifying Strings
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

82a4b1489c824d2ee037e01bedfb6a06

AgentTesla

Executable exe 75ef91b36f46cb8875ffaa6af3cb7f38f8689ee9c16e50f9af87966a2648962f

(this sample)

  
Dropped by
MD5 82a4b1489c824d2ee037e01bedfb6a06
  
Delivery method
Distributed via e-mail attachment

Comments