MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7e78c4870f1bb56b9b663d43a07ff8781916d1892b8ec7f4623d4f10c14f7c29. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7e78c4870f1bb56b9b663d43a07ff8781916d1892b8ec7f4623d4f10c14f7c29
SHA3-384 hash: 57a340e3766530b1cd2a51e666721a1490bdf249c0645563b2b11e4e8ffc3b6489bc366bab6f943e6c841ba4d3f9f10e
SHA1 hash: 5bc289bf1b751febf734e496b633112aa14d74b0
MD5 hash: 669ae5870aad3983165908e44237d4af
humanhash: mobile-tennis-september-tennessee
File name:Re.Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:485'888 bytes
First seen:2020-06-24 06:30:48 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:dAYoHYhd5seMXec90p82UhktmZ+88kNBucn3QlgUBWd19Rjg0CGxFt1hvEEqEw3d:l++MXQ8Nktms0QlgSEsKLEEqEw2q29Sp
Threatray 11'674 similar samples on MalwareBazaar
TLSH 79A4010B3B88A927C13C16F985D31B0813F65AA77655F3EA5CC0A1C654C37E6AC61BCB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ayalyami.com
Sending IP: 62.113.215.209
From: Kumar Sing <construction@ayalyami.com>
Subject: Re:Order
Attachment: Re.Order.rar (contains "Re.Order.exe")

AgentTesla SMTP exfil server:
mail.head2hire.com:587

AgentTesla SMTP exfil email address:
zinoxshippingcompany@gmail.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13469/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7e78c4870f1bb56b9b663d43a07ff8781916d1892b8ec7f4623d4f10c14f7c29/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 06:32:05 UTC
AV detection:
26 of 30 (86.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pz4mjbypdo2wxg3ghvb2a77ypamrnumjfohmp5dchvhrbqkppquq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
69e1a15be2f6adc6268ec617568b3d2725122eb8d34873c23a7117b24e8b6854
AgentTesla
7523c12a912fa702d0d82798e013bf01d7be7b4b0fd08989bdb48c04738c876c
AgentTesla
8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95
AgentTesla
a12f0d1a1d8da27fa8c18e29f47fb43cb8d5f95c3000f3af1b61806bcf13e7a6
AgentTesla
b88e0edb83dadb3c26add0d4811a6a2f74c69a1fa361291a98bfdecca0c9ff8e
AgentTesla
b9620fd88aff4f05ecddda888f13bd8c5780f6fb2c1f5df66c64ce5854cd82d8
AgentTesla
bc02f7f4317f67dcc9ef60b524498431ec0ef0b261f715c4b20371e423b30fb5
AgentTesla
d6c1faa749cd1365c95ba2052c3eea5b4aa7a19d6c8a86e977413f276cf40ed9
AgentTesla
de17285437a4c1de71dae13eda552553af99577fdb088e7715aaf877a0cb1b13
AgentTesla
f302282c8f607b9b5225217fa0c83e843057b8e69097d36c0c70f9e8c533697e
AgentTesla
+ 11'664 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200624-werpvfm94x/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar cb1583525dc67f564cfa94251a8876863f5b8afb0813d38f3160a01bbf4534f1

AgentTesla

Executable exe 7e78c4870f1bb56b9b663d43a07ff8781916d1892b8ec7f4623d4f10c14f7c29

(this sample)

  
Dropped by
MD5 546087eaee88fe7de4c28fe6f6d5b08b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13469/
  
Dropped by
SHA256 cb1583525dc67f564cfa94251a8876863f5b8afb0813d38f3160a01bbf4534f1

Comments