MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c19cbbbb385a448d0033fe89cf139fff95ea9760ac2f0e9fa9acac60d180b81. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	7c19cbbbb385a448d0033fe89cf139fff95ea9760ac2f0e9fa9acac60d180b81
SHA3-384 hash:	21145d65ded5abc684e804d55a66103c1fd8f29bb6a9eb6dcf3e6f33159ac0ef8d33cb018a31f721660a5ea79566d323
SHA1 hash:	b9f8ffe26efd5c7b3cbc55027dc099f3573690b2
MD5 hash:	960b0304ac2537192e73521cc798876f
humanhash:	south-pip-oven-whiskey
File name:	Akbank Hesap Özetiniz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	870'912 bytes
First seen:	2020-07-08 12:50:47 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:iX2h03iT3z6iS0M/8U8ewzZt2d1yJslhtWoslhtWAos:imh03O3z6d0M/8U8ewzZkTyMhtWlhtWA
Threatray	10'950 similar samples on MalwareBazaar
TLSH	5D05CF35BBE19901C77E0F36DD7312004E76A8BBAE06E68F5DC825ED4CA67486A13707
Reporter	abuse_ch
Tags:	AgentTesla Akbank exe geo TUR

abuse_ch

Malspam distributing AgentTesla:

HELO: server.nemutlu.com.tr
Sending IP: 94.102.12.60
From: AKBANK <hizmet@bilgi.akbank.com>
Subject: HAZİRAN 2020 Akbank Hesap Özetiniz (Ref:2070594879)
Attachment: Akbank Hesap Özetiniz.r00 (contains "Akbank Hesap Özetiniz.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/23104/

Detection(s):

SecuriteInfo.com.MSIL.GenKryptik.ENVP.1459.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7c19cbbbb385a448d0033fe89cf139fff95ea9760ac2f0e9fa9acac60d180b81/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-08 12:52:09 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqm4xo5tqwseruadh7ujz4jz774v5klwblbpb2p2tlfmmdiyboaq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

37299afa1d46a1aa02b7b06a39d41d876f454047527e406e7cbcb659833de728

AgentTesla

5f424b8c80f27423b12cdf9d7d6a70937edb28fe07b8ed4dde0e965810cbd674

AgentTesla

69fe5bb4b975f9437b6c3bcf3f07dc807a8f2e848f1e0c5802012295b06a742c

AgentTesla

8100b701682e9fb7c4165631216913054e2e201f4cd63274ff1151ade42098c9

AgentTesla

848b8d647cdae7cf35f1322fb01fa3aa122c3d783bfa7b66791ec4ed1a66fef5

AgentTesla

be4a89687a7d185648c2e9341a18b37d06e71b06cbbbb8b3d2f6e0bc215a8548

AgentTesla

d3585150a0d7118b7d4dd19bb781d4eee5887fa56bdd61a337181a9ff24f023f

AgentTesla

d823d3c8c26635339f3de0090fb21441f5d2f4db1a0567b2028ca8e3e7f5670e

AgentTesla

e6d6cda38ec798c76fb5727c7af199c496408484c68f3d7c0d34d6be09900ca0

AgentTesla

+ 10'940 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200708-jpgytre26x/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar