MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c
SHA3-384 hash: 3cc7b0d3b0c014d246764dc6165a79d22d511c39efe92b6f246885ae7addfbb410759c3d0c04a4f78c1c3814901861ff
SHA1 hash: 88926fc274d5d63b684c84b4e940ed540de1732d
MD5 hash: e92a089471574c5f591873ae6b824d29
humanhash: six-double-vermont-helium
File name:Remittance Advice19062020,PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:378'880 bytes
First seen:2020-06-21 07:01:19 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:MlwZZqtDKJwrXFqYV60BjRja85i6vKTybkMy54PyWg8FKCSnIAVmh6MdJIyDfWh:M6ZMKQJThd1myIB546VbCSO/Lc
Threatray 11'084 similar samples on MalwareBazaar
TLSH 2B84CF476A444B3BE79A5B37F43747167078F2C71E85E58F018C0A9E4C8F28A893B75A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: alias1.industralnews.com
Sending IP: 194.34.249.254
From: Accounts <info@industralnews.com>
Subject: Remittance
Attachment: Remittance Advice19062020,PDF.UUE (contains "Remittance Advice19062020,PDF.exe")

AgentTesla SMTP exfil server:
mail.marketinfosales.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12341/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WEZ.30159.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-21 07:03:04 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=p7eumzzs6sfbh65h64ljypvrtpycdvvnyy4vp3q4lvlzccehpawa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
07cad509cf5a4ee6406a4229fe21bfaf23101816b2328402f86bc3b9e8c47d44
AgentTesla
09944e1f48bf7f92a9302b2fb104e20ede5d5a897dd2107f795175e0cfa405e0
AgentTesla
66a8c938adab25455ae47bf87fb5f2f17954f5a7a65434171b0e9342fbd76770
AgentTesla
6a31202250692a5fc5db29563f8b1f9cea0e2b77fe0261df224717644347858f
AgentTesla
6e3a137a621b11e16fb46aa747fae37564a0cd03e57873193fa5f772a5822628
AgentTesla
6ecf988a679d308056863801f551ef2775fe0dc44647bd1cb48d47fa3470a8cd
AgentTesla
85534754bd3a7cda7234040ba7f0a4440fe85c198e28286ef22fbeb97b3de14b
AgentTesla
a348e47d21cd548e5c1ac4865a194d4d5e81bfa97d1dfb5dcc62a385785acbcf
AgentTesla
d0f4e90da1cf7b70ef688b9bc4f10a460d747b792f46d91f139e8cd05481059f
AgentTesla
d1af73fc3a8feb9a8254eff6a4a94d1637593ade739fc42da2a4907029fa03e2
AgentTesla
+ 11'074 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200624-ek63c57m7n/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2fc858267612890e9b62ed3293fd56ed577b3e15bc1de5ec95505b1e319195dc

AgentTesla

Executable exe 7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c

(this sample)

  
Dropped by
MD5 1b252bb021442a9809a1fd97b410154d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2fc858267612890e9b62ed3293fd56ed577b3e15bc1de5ec95505b1e319195dc
Cape
Cape
https://www.capesandbox.com/analysis/12341/

Comments