MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b05a5c0a723bcea81a9d6588aa1d5ab381972c15985c14392a0d16c22c20d40. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7b05a5c0a723bcea81a9d6588aa1d5ab381972c15985c14392a0d16c22c20d40
SHA3-384 hash: 207ccb15e9934ddd42cf4c80247f0ea50388ef99618c7080ff2630a3e60dcfe5d4b39177f35dc3494426231225231ea8
SHA1 hash: 099033b2c09c2f915ad869a2aabf4c89f00d1f4c
MD5 hash: 1565f2484e3c1551346257cd40bae3b9
humanhash: sixteen-whiskey-social-carpet
File name:Invoice DP No78I.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:717'432 bytes
First seen:2020-06-18 11:07:23 UTC
Last seen:2020-06-18 11:38:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:GaUPSe6VEJD6LpkxWOSI4Ms93T3GN5vEZ1Yg/VFmMbcdM8O/SNUPECs7n6:GaUx6VEt6RdPZZ/DbC6
Threatray 10'591 similar samples on MalwareBazaar
TLSH 85E47C3E7F46A902D03D057240E6978062B2AA473E42C30F79DDA7ACAF527CB3755399
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: iix02.zproserver.com
Sending IP: 110.5.109.60
From: thomas.liusa <cruise@minnatour.co.id>
Reply-To: FIBN_206@MAIL.COM
Subject: Invoice DP
Attachment: Invoice DP.zip (contains "Invoice DP No78I.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/19768/
Detection(s):
SecuriteInfo.com.Variant.Razy.691223.19507.22735.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-18 11:37:28 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pmc2lqfheo6ovanj2zmiviovvm4bs4wblgc4cq4sudiwyiwcbvaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0056f11a7714396619331eba28b990eccbbaacfd0088c49138ea970d789f3d2b
AgentTesla
0eb12d3962140a829e5447544771641c92bdfaa6a545af9d701b69f5a882fd14
AgentTesla
180e63e884c208203b6f222673df84b703a55db642fcbc97183a979fc01381b8
AgentTesla
2c13ec5658318ce81c8da312fc020d69b881cd98ac01f7dae28c7e0150ce1698
AgentTesla
3427c2594dae4a281a8a2210032445c42b3287818d1e10b45a55b28f80372c35
AgentTesla
38525021970c707fe513c2589e60dbd8ee2d052e1f4700837a5b132b28baaa33
AgentTesla
3a583a9fa9039210e8d683200ca25b32993cd1840808ba3bac62f2c6e29ca7d9
AgentTesla
4b5962005864c7cd8c362e37987f7091991f6f3f0a992e02e1b51beb92292a5d
AgentTesla
d004305e1a97e0d5355965b8c236168ac1a5aaba63712424afb448147a4b5063
AgentTesla
d807dcfd04f5d5eac71522a29a6911c504039edb6277ba9b35953ca9f5fcef8f
AgentTesla
+ 10'581 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200624-z85zgmhh36/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0e3e14be00b9a36dba62a60eb36f1727cad133aa17cea51195611040db4157e6

AgentTesla

Executable exe 7b05a5c0a723bcea81a9d6588aa1d5ab381972c15985c14392a0d16c22c20d40

(this sample)

  
Dropped by
MD5 f540e8d88585fa54d7bd25775bacb0b5
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0e3e14be00b9a36dba62a60eb36f1727cad133aa17cea51195611040db4157e6
Cape
Cape
https://www.capesandbox.com/analysis/19768/

Comments