MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 930d653a60d5eea45cb332a3b313d8bf129c1b6a0dfa82aaedadfb9dd0dc8ced. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 930d653a60d5eea45cb332a3b313d8bf129c1b6a0dfa82aaedadfb9dd0dc8ced
SHA3-384 hash: ca077c065be3e439d9e62479b246953e7810c2a86f631e89fd326fff396664d63be1dc6ac9e178d278776f0a4bb8dbef
SHA1 hash: 4c65541a819cd7a39b4a4a4162b1d205cda82611
MD5 hash: 08e759dbea723644aa0a83897773a90b
humanhash: emma-river-cardinal-football
File name:Payment Advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:757'248 bytes
First seen:2020-07-14 06:04:31 UTC
Last seen:2020-07-16 05:16:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e1c1ff870c7f2916086288f794229846 (5 x AgentTesla, 4 x Loki, 2 x FormBook)
ssdeep 12288:9kXOU51w5qnnf9aG3EV+M6qzvXkqYJZrbMMe8vHqI/uzHSgWPN4k3q1OiYsoH:2eMbnn7EIqzAT/MMe8vHcpW/a1O9soH
Threatray 11'739 similar samples on MalwareBazaar
TLSH 31F4BF62F6E04833D16B1A3D9D1B97F8583ABE41FD189E8B2BE45C4C9F393413825297
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
5
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/25595/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Win32.Herz.B.13070.25735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/930d653a60d5eea45cb332a3b313d8bf129c1b6a0dfa82aaedadfb9dd0dc8ced/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-14 00:29:58 UTC
File Type:
PE (Exe)
Extracted files:
38
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=smgwkota2xxkixftgkr3ge6yx4jjyg3kbx5ifkxnvx5z3ug4rtwq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2
AgentTesla
3cccff9a1654ffd65017b4264a450e2c1198275dd84050139794488778bd7961
AgentTesla
528f29b705ad29a6e607a93fe7f16ddd4725f19f0e9d32cbc505f14d20a52787
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
7a3c761d105aebdfc06ce56ef43ba47d374ba81cc1d64d5380054cccbd92bd57
AgentTesla
9a4aa8d0acefa1f81a81440379ce5c4c76175c6a28d72ab61d372394646bab6b
AgentTesla
af4f05bd033462727c03619d51062e0d9f1c346a19ba1b9df1bd3a9b593f80bb
AgentTesla
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
AgentTesla
ef3cbb89feca43a0f0756ff2c3e485755e38f2d4ea6f807e7c09fe31ab710920
AgentTesla
ef4ae3267d280e27deddcafd021cf4d4ac90adab048cb271001a32a339b3b227
AgentTesla
+ 11'729 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200714-59jkm3bjns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Malware family:
AgentTesla.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/930d653a60d5/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip bf5c8f7e46432ea680138ece9f231b80848dc4f0fd9ef5a90216f38a0e5de498

AgentTesla

Executable exe 930d653a60d5eea45cb332a3b313d8bf129c1b6a0dfa82aaedadfb9dd0dc8ced

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bf5c8f7e46432ea680138ece9f231b80848dc4f0fd9ef5a90216f38a0e5de498
Cape
Cape
https://www.capesandbox.com/analysis/25595/

Comments