MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 874e5493086a501512f7367f1fc2dd63a9605466ef44ba598f52a21fb75c95f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 874e5493086a501512f7367f1fc2dd63a9605466ef44ba598f52a21fb75c95f5
SHA3-384 hash: 69304d90764288c9f5babe40579267fe81e26e12c1ecf892c262c6ed4475ac19d454d4cbf16d48985c718ce506d17e65
SHA1 hash: ca308cc48a4e13b0d83be60516ea27115c7a59bf
MD5 hash: 8f7f1c7c636599f167ecbca788ba9374
humanhash: cold-south-princess-venus
File name:TNT_Receipt.9066721066 AWB no.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:614'400 bytes
First seen:2020-05-05 07:43:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DSu4sF5qVBmc71q+3LhFjt5Hd++okm8ta3GsmSG8pVGDOvoZWR4n9J3NAtW1sEu:2u402m6J9Fjt1U+U8taJmo
Threatray 10'573 similar samples on MalwareBazaar
TLSH 88D47C9D722072EFC857D472DEA81C68EA5034BB831F5213A42725EE9E4D987CF254F2
Reporter abuse_ch
Tags:AgentTesla exe TNT


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smtp.safemail.it
Sending IP: 147.123.1.124
From: TNT Express (ParcelHero®)<Custormerservice@tnt.com>
Subject: TNT Import Clearance – Consignment : #9066\x0a721066 is now under clearance process
Attachment: TNT_Receipt.9066721066 AWB no.gz (contains "TNT_Receipt.9066721066 AWB no.exe")

AgentTesla SMTP exfil server:
mail.perfectholidaysborneo.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis8F7F1C7C6365.29965.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Nanocore
Create hunting rule
Status:
Malicious
First seen:
2020-05-05 01:55:30 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q5hfjeyinjibkexxgz7r7qw5mouwavdg55cluwmpkkrb7n24sx2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2364247c3aeffef1ab3a097e386e61917c7083f53e016888d5c450e9f1c656ac
AgentTesla
30faa3175ec4ab520f8a730b7a047fd410ce3b82f86b5d3e881e31044a7a381f
AgentTesla
32e7be2844e7be1f6ae7d262eeebe64926946ebbc8e2d91ce3760b8e1d10285c
AgentTesla
3a50e52732ad555ed6f785c81ab6b0aa11c4360a4a6a5c7daab07286b376a259
AgentTesla
5e90b08b7efbc0e845c590ae49ba28df3e5312a485a80ea69b9f8145106b12b6
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
9251aefb3d0f5c1a21c9de09cb545c28e64c99c7424cba4021248f2cd35e6409
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
ea56935a4dca19d4ed31da39e7e861574186defbb63896045cff26a38c5b3ae7
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
+ 10'563 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-hhshrcly3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 87cc6e0251eaec1fc831e23837af5f0821ead7175f1eef1fb3c1b6b9640ffee7

AgentTesla

Executable exe 874e5493086a501512f7367f1fc2dd63a9605466ef44ba598f52a21fb75c95f5

(this sample)

  
Dropped by
MD5 f93ecdc927f31b0ebda967332e94b0a1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 87cc6e0251eaec1fc831e23837af5f0821ead7175f1eef1fb3c1b6b9640ffee7

Comments