MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a72cd506b5fc75c21d24703009cc3e58dbd7bb037bf8afaa9f1585ebc79ed235. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a72cd506b5fc75c21d24703009cc3e58dbd7bb037bf8afaa9f1585ebc79ed235
SHA3-384 hash: 3adda6526e8795935df73e7180616261e040732642a398d5a396c8a64c5a8354ffdb1486c43f0fc69bf4091abc749814
SHA1 hash: d17026d90e8997baf4816d4d971dc7c4a4f73437
MD5 hash: 0e36f6b9007375a096a2a612fb6a5047
humanhash: oranges-ten-delta-harry
File name:gunzipped
Download: download sample
Signature AgentTesla
Create hunting rule
File size:888'320 bytes
First seen:2020-07-22 08:42:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:wQ/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAlTvCIMPr2DJUgAlCwgvN:LaaFabDs7btHlttqwm4/f9HfN
Threatray 11'827 similar samples on MalwareBazaar
TLSH 48159E72F1934833C562DA3C9C5BA678982ABE115A2976476BF40F4C9F3E24338352D7
Reporter abuse_ch
Tags:AgentTesla


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.ptjlg.co.id
Sending IP: 103.253.68.52
From: Ajit Sabale <ops@ptjlg.co.id>
Subject: Petrofac Payment Swift For Overdue Invoices%
Attachment: PAYMENT SWIFT.gz (contains "gunzipped")

AgentTesla SMTP exfil server:
mail.c67976.sgvps.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30956/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
56 / 100
Link:
https://www.joesandbox.com/analysis/394738
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a72cd506b5fc75c21d24703009cc3e58dbd7bb037bf8afaa9f1585ebc79ed235/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 08:43:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u4wnkbvv7r24ehjeoayattb6ldn5poydpp4k7ku7cwc6xr462i2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
02a3cf916211a06c79f7f785d925d76a6f0c1ea946c03c475048c1dc78d338ce
AgentTesla
0467fc866d61b5710a855b59fe9b08ef32ea972eab00c575701b9ee016352ac7
AgentTesla
13401ed6c28248a7b90b62de52d902972a9c0b72e2e19aded928988e2c9c4503
AgentTesla
35a94d699b3b76654146147d5049a618067f3c2081f0b90d28f2b0cb4baf9df1
AgentTesla
8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e
AgentTesla
a14f4263c002e77e88fa98957e19288e2076ad78d83c2247617f1a209d55a7a7
AgentTesla
a3f262fc5001f20e6d8fdf3bc436febffa5f4065eec8463bdd767efa2c3f445b
AgentTesla
a932257a2967d22fd7478319f19297485c631cd24990804be1e27752bc5549e5
AgentTesla
b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82
AgentTesla
d371f4d1ca41860654d8b400e4162fc379c05c31778f5bb4cbb653766f5be3db
AgentTesla
+ 11'817 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200722-hxctxwr6dn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a72cd506b5fc75c21d24703009cc3e58dbd7bb037bf8afaa9f1585ebc79ed235

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 440f385dbdc69f26bfe6854608491fa20f5473c4de5d9757dee3f1984d742edd

AgentTesla

Executable exe a72cd506b5fc75c21d24703009cc3e58dbd7bb037bf8afaa9f1585ebc79ed235

(this sample)

  
Dropped by
MD5 dfa3d734754dd828ad4ea61be2050f2a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/30956/
  
Dropped by
SHA256 440f385dbdc69f26bfe6854608491fa20f5473c4de5d9757dee3f1984d742edd

Comments