MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 974c0a579fffd3e9bff886a850a48a3c8b77e716139d6d0e30902fed9dd53e0e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 974c0a579fffd3e9bff886a850a48a3c8b77e716139d6d0e30902fed9dd53e0e
SHA3-384 hash: 9a005189ceb97e15d5ad1011a4c3ac68ce052f10e366aee03427a88e2ad2ec4a62b5a66985d50a79ca05de6e79667479
SHA1 hash: 199f383d02464720f78a551b7c0f8b2b0717debc
MD5 hash: 2c7211cf77118f3430acedae3575e50c
humanhash: tennis-comet-timing-bravo
File name:OPO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:489'472 bytes
First seen:2020-06-25 05:34:19 UTC
Last seen:2020-06-25 09:57:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:xfrZSpONaUqn2KYzb6B22Zc7wfLOTQERnWAtidPmtQkuYUdw9AIU7qaPLDbJT37T:xVlNEn29zb6Qb7wfLUz58d5tHlCC
Threatray 10'639 similar samples on MalwareBazaar
TLSH 08A4F110B2AC7ED6E969037B10B2A01003B5FA677212DB0F599172992D77BC37163FA7
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13907/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44022.12293.6950.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/974c0a579fffd3e9bff886a850a48a3c8b77e716139d6d0e30902fed9dd53e0e/
Gathering data
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s5gauv4777j6tp7yq2ufbjekhsfxpzywcoow2drqsax63hovhyha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09e9c9443761511543691282dd163f837f822a4ad81e11d94518433bf790acd7
AgentTesla
2231e1d8fe5b4e56502b7e21d076283159d2e9b2c8e760f77e8be88867d0ae33
AgentTesla
361df840f755828b47108104d9da4a9614d9c961f913c89c12027799150568df
AgentTesla
3b6fde65cc308f5f546273a418fa9a710a41250d8bdc9419504dddeeaee04e1d
AgentTesla
4a1e51e256516338037deafe0cc2d3a0d3e5853ac534bb2fce79ea69246c4dc6
AgentTesla
a7ee634a76bdfb8d44f448a42a34d849a25092e53d9644096c80182df1a1b944
AgentTesla
a9b054542a826b81fbc7f53971bb54087d29f8cf50d7f375ff148a2d53b0005d
AgentTesla
b9d2e9ef5ac762cc3961f222eab3b94a0d8b73e2fba5ef7ecd148fe016945f20
AgentTesla
c1c4d2e6f09e820c8b3ac98b6c998737da48ae70142a00feca9fbdf17342c11e
AgentTesla
c8724aaaab5ec0f367f3c5b49b22346a502b53e2539594b1d0332327e6fc2154
AgentTesla
+ 10'629 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200625-dmpt9skmxx/
Behaviour
Modifies registry key
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Drops file in Drivers directory
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 18b6290435abbf16c0f0166c840fbda1838d10934ac3bf20f15138a02c495ba9

AgentTesla

Executable exe 974c0a579fffd3e9bff886a850a48a3c8b77e716139d6d0e30902fed9dd53e0e

(this sample)

  
Dropped by
MD5 7aad1768b2cc39627c24710361fe3802
  
Dropped by
SHA256 18b6290435abbf16c0f0166c840fbda1838d10934ac3bf20f15138a02c495ba9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13907/

Comments