MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8d98cc9cafea7bf31e27287f1002cbade82ac19f44d2b12584598509b8b10c99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8d98cc9cafea7bf31e27287f1002cbade82ac19f44d2b12584598509b8b10c99
SHA3-384 hash: 06daacca230a4a3a5645ec8a65d504d103e12b1163069d41fb63f2aa0fba5f5a57fb5b40afa3e79fdacb6db32dfce776
SHA1 hash: beebac09e6663d88f36d39027a10b1512970f7f6
MD5 hash: a24efe06eef9d062d226bf5eec6606d3
humanhash: mexico-bravo-north-sodium
File name:hesaphareketi001,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:660'480 bytes
First seen:2020-07-09 12:10:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:z4qlpFpwsqjrrQRK4LkwTJqtJYe7UsdmOFMZtGeOYXt:z/pFpvqjfQRnrqhndm8MJOY
Threatray 10'745 similar samples on MalwareBazaar
TLSH D0E4282D3AC1A829DC3D193544794EC0A770F68B2B02CB9FA5C3476C6F126DB7B1619E
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ngay7.localdomain
Sending IP: 45.127.62.209
From: ekstre@garantibbva.com.tr
Subject: Hesap hareketleriniz
Attachment: hesaphareketi001,pdf.xz (contains "hesaphareketi001,pdf.exe")

AgentTesla SMTP exfil server:
mail.cappac.com.tr:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8d98cc9cafea7bf31e27287f1002cbade82ac19f44d2b12584598509b8b10c99/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 12:12:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rwmmzhfp5j57ghrhfb7raawlvxucvqm7itjlcjmelgcqtofrbsmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03035f39055dc379e10a3f7a79092877c022272c9fb14116c44bd9d3ed637655
AgentTesla
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
AgentTesla
7e393bcd518415ad70e7a6924c8798391400554fce9c2a639a891dcda4f8e230
AgentTesla
983642426c54efb09b590e6f4344483d07b99a9e3a2551d504d4293183d701c3
AgentTesla
d90041e6b2a7deca5936829d8a2f6b9c190abcab6c81c3a99b22d41ed6fffbb0
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
e30b8563272ddf31c2309bf96d93c90288154539e39827bc9a868e1e74e2e3e5
AgentTesla
e4cfdad9d000b5d06751ff7d1b0d347e1aa1ce9e8ace7dac3148967879392cc4
AgentTesla
e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879
AgentTesla
f79a00a5a78540c33e096805046cae230765cd3bd62fa5e077673f3c873cc547
AgentTesla
+ 10'735 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200709-r8spqa3tls/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run entry to start application
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ad04786cc4b5330dd661d03192a366212d7fde34fb93c3b0dd9bcc7e773167a8

AgentTesla

Executable exe 8d98cc9cafea7bf31e27287f1002cbade82ac19f44d2b12584598509b8b10c99

(this sample)

  
Dropped by
MD5 7500a9e2af20b855c7eeeb39b44edaf3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23743/
  
Dropped by
SHA256 ad04786cc4b5330dd661d03192a366212d7fde34fb93c3b0dd9bcc7e773167a8

Comments