MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8cacb4c01a703f8a300130d23fe74ab651ce7916a701357cb14b468e2a816a3d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8cacb4c01a703f8a300130d23fe74ab651ce7916a701357cb14b468e2a816a3d
SHA3-384 hash: d2639e429015b7604a38b5a17f2967b6bdeb51ed1d862aef224a218eb82c57c1813d70158e7d3c81e4d64d56bbfa93b8
SHA1 hash: e9380704905a83f9f9af8a1499d05f89a615011a
MD5 hash: b125fb8ec14b5b5a0a677256ac8291a9
humanhash: minnesota-winter-carbon-solar
File name:FI20-1194 - FTQ1.pptx.pdf.zip.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:473'088 bytes
First seen:2020-05-12 15:10:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:m2/PQHNWcDREVUFZZnvglzYoSXagpnqrVxu:b4tREaFZZnvgNY/XBZqZQ
Threatray 10'885 similar samples on MalwareBazaar
TLSH 6DA4F136729CEA13D69F56FF8491210443F4B16220A2F3EB1CD2E4E926D47C689C5F9B
Reporter abuse_ch
Tags:AgentTesla bat


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: srv107703.vps.myhostingpack.com
Sending IP: 104.131.56.112
From: Smeralda.Ramos <recepcion2@calmet.com.mx>
Reply-To: recepc2@calmet.com.mx
Subject: OUTSTANDING INVOICE 28897
Attachment: FI20-1194 - FTQ1.pptx.pdf.r02 (contains "FI20-1194 - FTQ1.pptx.pdf.zip.bat")

AgentTesla SMTP exfil server:
mail.climasenmonterrey.com.mx:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 15:36:02 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rswljqa2oa7yumabgdjd7z2kwzi446iwu4atk7frjndi4kubni6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d3e3896303994f755fcaa5c1e4e699f6453bf9e080851f994e658fc95482333
AgentTesla
227c14f96fe815771903d9c8050d094efc19423e072f06b75a40a5305fb04476
AgentTesla
24485d2207c94aae6706df8541dc1c7a434ca8d200aecd31163e0ce70349a755
AgentTesla
2530a6515fbfa1c1828dfe9cf174709002d10b9ae832176fc98fe5679a23bf13
AgentTesla
59d52036bdcefb1d4b3dd681b01fa5f7d5ea57249f48fd81719f94c06b41dde0
AgentTesla
64df39ad1c9796f197681de5ec882e28c40671cb552a7adb5f94b780995965ad
AgentTesla
af80a0ec35e2521f9bcb52dadbf60329d28aafa5f311c612721da30329fd57eb
AgentTesla
ca6d1749f9645475aa7ab0ca268e31ba00817a8c70467c4d6d88bb2ca54d596d
AgentTesla
d3375fae6761e02b05ae0ca40938958b7b025f1072d989b3188ff46ec032505e
AgentTesla
dff01b9f8946ed3792fe4e32ae3f95834c892f16ca219dc99d78fd15064f82a2
AgentTesla
+ 10'875 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-qnrkr2e8ds/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r02 21e61534766a6d0dbc8a867c7a0c6c6a2153a227162641c6306da7772ff4cff2

AgentTesla

Executable exe 8cacb4c01a703f8a300130d23fe74ab651ce7916a701357cb14b468e2a816a3d

(this sample)

  
Dropped by
MD5 4a62c645f303b55023b348d4698797d1
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 21e61534766a6d0dbc8a867c7a0c6c6a2153a227162641c6306da7772ff4cff2

Comments