MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 765d8bb97b56addf0b725b4d289e6a73e8d5d80f74cf694d0831507690cfc8d1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 3 File information Comments

SHA256 hash:	765d8bb97b56addf0b725b4d289e6a73e8d5d80f74cf694d0831507690cfc8d1
SHA3-384 hash:	a8f0b4c990c63e2591b3903902b5f9271ad58875d4e821aaacf0161adf4fa1e0bcd75bf76f5a2d27415d0b16356f94a4
SHA1 hash:	a0db766cc228e6c93f54ea3793ca0149d7365f2a
MD5 hash:	0856708235c605f63b0316bcfe1e331b
humanhash:	fish-saturn-lake-happy
File name:	Nueva Orden.PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	414'720 bytes
First seen:	2020-06-20 06:03:00 UTC
Last seen:	2020-06-20 06:58:30 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:nqvcUEESRiA/K4pr0hvRWQxlClRD0UWBxfC8/u2LNgkGArkbf/PHqgT63:Dni7Vz6nD/WPuVJbf/fA3
Threatray	10'620 similar samples on MalwareBazaar
TLSH	4194015E81D88432F91AD7BCACC2351223A8F462ED62F7D80F0673F749267D1CA15A97
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.lasmercedes.com.ni
Sending IP: 186.1.30.71
From: Costos <costos@lasmercedes.com.ni>
Subject: RE: Nueva consulta / orden de cotización
Attachment: Nueva Orden.img (contains "Nueva Orden.PDF.exe")

AgentTesla SMTP exfil server:
mail.arigmed.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/9917/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.50946.15075.8374.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-20 01:30:48 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ozoyxol3k2w56c3slngsrhtkopunlwapothwstiigfihnegpzdiq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2580c9b3595a33f6f0cf4565dca85a884d2aecf8f4324f61a81f02fb4a68ae20

AgentTesla

26f9c482fd452faa690d8a0ed01e9962d8850b343af8a59a6817852c6e71f6f6

AgentTesla

2c1988b65fec7b60932b4ecdd808c99f026ef9e6e97244b56ebbe629a22c1e4d

AgentTesla

2d52f8dfee7a708fec8ddfd1d6634c278ce495b703e48abd1a5436473b550926

AgentTesla

3ae84e98f262ec1d2a85e041ff786ff580bb8e9e101481d6928857602f81f16a

AgentTesla

49f8a53df63b928f15cf73f136aa4da17d47456f15a875ec68f6441f0ab476db

AgentTesla

54733b1af96fc6623b68b41df3bf4ea03ad0565ccf128d5d27339b8e5d003018

AgentTesla

b847ee42e6237b9e237bb9a762cd3f03a1da2d4a826cc395267bcfc74d0ccea7

AgentTesla

db118a6acd60d50797efccfe1088cd6c4df1ded228d3d85bfac9ea1598aaf4ec

AgentTesla

+ 10'610 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200624-hjj9pc9rsj/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar