MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7d7c564bbd04fdd7765b8f5d0ef8c1c21af8a247db06e9d02176dd2d60b5fd60. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7d7c564bbd04fdd7765b8f5d0ef8c1c21af8a247db06e9d02176dd2d60b5fd60
SHA3-384 hash: bea5542879d83a8f32df11d089fa0dd3ca58b00709c599619ad9c7f96aa9de6789401f085a904cb1cda3b85b04c13e1c
SHA1 hash: 2dd06702606e36981084016d3d31f3b31e8ee7e6
MD5 hash: 59f2ea77d78642f1cf5cf4924615f7f4
humanhash: mobile-artist-twenty-violet
File name:HN00057903.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'815'552 bytes
First seen:2020-06-29 07:48:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:TiNptEiqkoev63hpnyiM4cRskjhEGCovFBMbYeO:otxwxyycEo9j
Threatray 11'364 similar samples on MalwareBazaar
TLSH 86852381F375975AD5BF8BF814A015504B3678263623E30E8EC430E95EB77810E9BB6B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mx1.africaonline.co.ke
Sending IP: 41.207.64.7
From: neeta@tlac.co.ke
Subject: Incoming Payment advice-BG_EDG7602020062601480045_423_760
Attachment: HN00057903.rar (contains "HN00057903.exe")

AgentTesla SMTP exfil server:
mail.edaraproperty.net:587

AgentTesla SMTP exfil email address:
wt.security@edaraproperty.net

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15941/
Detection(s):
SecuriteInfo.com.Fareit-FVR97B1CDB35EA0.28661.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7d7c564bbd04fdd7765b8f5d0ef8c1c21af8a247db06e9d02176dd2d60b5fd60/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-29 07:50:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pv6fms55at65o5s3r5oq56gbyinprish3mdotubbo3os2yfv7vqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c04868ebbfe96733b62c47dbbff880d1cb78d654d440078406bb44e0eb71976
AgentTesla
83ea7db0106f84be0194ce1ced95e79ee399a8b5029dd420340847ad4d7e4a1b
AgentTesla
872e1f8527fad5ec58946edda46b1ea81a65055391df90b2ca5f130eef99b662
AgentTesla
a91a2b8234a4b5a0fcd701970e05a01d153cd65ff27ed7e35fe603e3a59eaa40
AgentTesla
b4e4955cd0abdc5df6d5e1db5d58f3b0f1de491540371e919941f6dc9741f23e
AgentTesla
bc3beac20e0e95efa2db577bf7a364141d7d3966bd13881022200cfe31792338
AgentTesla
cfdd6d4f9c20199dd0ab9baa8c2a21e9855db1816650c80f06f72cc1b05cd40f
AgentTesla
d1076d7ed1c0f4710daf4352bc41472e1061ad7195f68b958e1224a97a446f1e
AgentTesla
d95fa241b2d110c4a75d87aad4a8004d130ecfaaa266bf2e8875f3344d0794e7
AgentTesla
ee40db183a9f86ee97dd3803b54d1711d443d25beb0160fd89cd54ad890b8485
AgentTesla
+ 11'354 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200629-amv2jnrrf6/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Modifies service
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 34a613de9fcaaeb5a7175845e9b3ff90ccada0f51820478ba55c211dde660ecf

AgentTesla

Executable exe 7d7c564bbd04fdd7765b8f5d0ef8c1c21af8a247db06e9d02176dd2d60b5fd60

(this sample)

  
Dropped by
MD5 73439fb8036352a7041ee5e2158ec066
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15941/
  
Dropped by
SHA256 34a613de9fcaaeb5a7175845e9b3ff90ccada0f51820478ba55c211dde660ecf

Comments