MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 785b935be29af7c8a26e4080b1d4dc3ad93589d7175773b0b1fbad99165b24ef. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 785b935be29af7c8a26e4080b1d4dc3ad93589d7175773b0b1fbad99165b24ef
SHA3-384 hash: 7152cbd14f0ff220120338a725f00ff4d56dbb1a68795ad691f5d571503e85ec235b974f02c5598de20ca3585dfdd50a
SHA1 hash: 1b909e95504f780a6b5a34e3cbec7542468ce0d8
MD5 hash: 1883cc5a5f6d2ecd6755615958f9aa91
humanhash: paris-mobile-delaware-wisconsin
File name:INQUIRY
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'417'216 bytes
First seen:2020-06-16 05:38:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash afcdf79be1557326c854b6e20cb900a7 (1'102 x FormBook, 936 x AgentTesla, 399 x RemcosRAT)
ssdeep 24576:/AHnh+eWsN3skA4RV1Hom2KXMmHa6gaB1P0XRYjOaIg6iA+VZTJqZ3Nm7eSWKMAm:ih+ZkldoPK8Ya6gaB1ciyq62i3uhWPT
Threatray 11'101 similar samples on MalwareBazaar
TLSH E765CE02B3D5C032FFABA2739B6AF24156BD79254123852F13981DB9BD701B1263E763
Reporter abuse_ch
Tags:AgentTesla INQUIRY


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: pdlc34160.ciberserver.com
Sending IP: 176.221.34.160
From: Marie Gracia <opr6.ae@absaco.com>
Subject: RFQ- 15712
Attachment: INQUIRY.zip (contains "INQUIRY")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/10594/
Detection(s):
Sanesecurity.Malware.27686.AidExe.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.AIT.Trojan.Nymeria.1583.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Predator
Create hunting rule
Status:
Malicious
First seen:
2020-06-16 05:40:10 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pbnzgw7ctl34ritoicaldvg4hlmtlcoxc5lxhmfr7owzsfs3etxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c8ee9c80b54c9a2f245d2e98ce8d25702becbc6584135c4278169d406016dd8
AgentTesla
2a2a628e23fa234e422aa5edcb6718f54e5caa2822ee10950a30619d9e9b0534
AgentTesla
55e93e43efaeb600deafd813f7eef356e836904b0d83e545dc47b3ed0078316b
AgentTesla
6f6a327875691d7d61cdb1e73bbe10e1252493f9e8b2a9c5b0ea31fcc6c38925
AgentTesla
7b668bf6740289b2750a497800467fcf725fb111071e3ea4e74153e5159a3aef
AgentTesla
888a23aef242f26dcfdbe6591715d698ad3b1ed16b8946b31ff7e44da3ddead3
AgentTesla
bfefac71337cac5e66779e74fe6ba571620329ff9da8d7ce21999d90b46bcdb9
AgentTesla
d2a772260616ccc61555ef2c4e08d53bd33c07997e63250e6ff7e1bdc9c96238
AgentTesla
e19831bf62256c4c97a30d37b65c04eda5a3de110ba19f66d22750cbdfc9a5aa
AgentTesla
e59cd07929dcd890599b9ef376fb022a9b0408cd3547a6ebcbffca87932dd631
AgentTesla
+ 11'091 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-vr24gce1ax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1b18ffea96feb91fe7df6862c6af34601e9f14224d4dfb7856f4b04beb79def1

AgentTesla

Executable exe 785b935be29af7c8a26e4080b1d4dc3ad93589d7175773b0b1fbad99165b24ef

(this sample)

  
Dropped by
MD5 6bb1c7712e15e99105442857ada24472
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1b18ffea96feb91fe7df6862c6af34601e9f14224d4dfb7856f4b04beb79def1
Cape
Cape
https://www.capesandbox.com/analysis/10594/

Comments