MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 988b5f074905c9add2fb2f65daca7439a65011f7279ecff951e3e28cc8c7cb2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 988b5f074905c9add2fb2f65daca7439a65011f7279ecff951e3e28cc8c7cb2b
SHA3-384 hash: 9a4d1f2fede68786994ef1ef845011529930f6bcedde068c8c84311b100e32e647911e582c423f7341a0d8aa73429b8f
SHA1 hash: 252689af8be335962eb53c56e9dc2758ab9acb5a
MD5 hash: 6d029d3ac76fe6d714b7d52e358f52d3
humanhash: india-emma-november-diet
File name:QUOTE 2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:463'872 bytes
First seen:2020-06-24 05:38:39 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:i107NMfwwO372935oqjqKQ6adJZi7qiVoYD7lar:i0Nv37YqKQrkBV7C
Threatray 10'680 similar samples on MalwareBazaar
TLSH FEA4010B7FACFA17C57C19FAC4C11B8803B6196B765AF7C92C8025E525C37E999212CB
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sonic309-22.consmr.mail.gq1.yahoo.com
Sending IP: 98.137.65.148
From: Joe Chen <nobin2@yahoo.com>
Subject: Re : *URGENT SUPPLY* - QUOTE 2020
Attachment: QUOTE 2020.iso (contains "QUOTE 2020.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/13412/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/988b5f074905c9add2fb2f65daca7439a65011f7279ecff951e3e28cc8c7cb2b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-24 05:40:08 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tcfv6b2jaxe23ux3f5s5vstuhgtfaepxe6pm76kr4prizsghzmvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2686990e01b4d89572990a34ea3ca265a5fec074276972d5fdb4543eb7357cc9
AgentTesla
2beabe2b3687dbd2375edc30905a41c7125e1a0b310eb2221901575632ac7a1d
AgentTesla
5a460f4dffeba9df56bfda908e0570f0b80dfe92c18262d71dffd6067d552353
AgentTesla
6fa490f0cd759d3f124106c12c8136d6eb4546964eeadf613d4c56b88ff6cd62
AgentTesla
968fda7e4a26ba09c4f69157d988a9cf4929894f126219ac811c3986a810508b
AgentTesla
988db21dd029495560fbc35f0286e1dac02759543fef7f6486affdaa6acd6f2e
AgentTesla
a214cf33d800eaa6987385691261de7e5c6982d10a18841d61d8dc5fd22d7c83
AgentTesla
cb2b081b348a1b1838d98c802b3789d4d17b1992851dc317fc1df7a1c4a90f21
AgentTesla
d9e6f4cf80dd417cc309be4c769598a87486d407789f1843e67da0b62588a98c
AgentTesla
ef0e3bf7214ec90fb27255e2da9ffaed76a80f56e807a542fd810587720e01ea
AgentTesla
+ 10'670 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/200624-2t5cn9mfme/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso e73f1083ddbaa22484def0fe551579e2ce6f2ee6790a6504e6ba29191d588709

AgentTesla

Executable exe 988b5f074905c9add2fb2f65daca7439a65011f7279ecff951e3e28cc8c7cb2b

(this sample)

  
Dropped by
MD5 d91124abe265cea0c9c3d4c7b3a77059
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e73f1083ddbaa22484def0fe551579e2ce6f2ee6790a6504e6ba29191d588709
Cape
Cape
https://www.capesandbox.com/analysis/13412/

Comments