MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d
SHA3-384 hash:	a630d43fbcaee3da7920d7af9a4a9f0ef98ca8a89e9eab195472f0b62ed51d648766db5b4295fbdbd1eaaefe7bdda54d
SHA1 hash:	2d023a34b1627e239ba712bf1da5c27d991b23fd
MD5 hash:	5c8949651508c9dd11646ab798133bc8
humanhash:	arkansas-football-emma-don
File name:	87637483763200.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	504'496 bytes
First seen:	2020-08-18 08:42:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:4AaRQtuWO3J13CFn3tLE8NuRaW2ZwVxxjidPnOki50nDkAMVr+EMCbdRlFtMk964:1aRQtQLCRVNcaax+PAKkA+rxHdrFTLx
Threatray	9'239 similar samples on MalwareBazaar
TLSH	97B4E0F97AD31E13D72D193DD09315040B306A0326A3DB06B8C95E5ABE9EBDA8505BCF
Reporter	abuse_ch
Tags:	AgentTesla ESP exe geo Santander

abuse_ch

Malspam distributing unidentified malware:

HELO: servidor.seletcar.com
Sending IP: 188.95.249.108
From: Factoring y Confirming - Grupo Santander <fycout@gruposantander.es>
Subject: Confirming - Aviso de pago
Attachment: 87637483763200.GZ (contains "87637483763200.exe")

Intelligence

File Origin

# of uploads :

1

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/47602/

Detection(s):

PUA.Win.Trojan.Generic-6629274-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

DNS request

Sending a custom TCP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d/

Threat name:

ByteCode-MSIL.Trojan.Dynamer

Status:

Malicious

First seen:

2020-08-18 08:44:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=wbyxogb2b5om5aecsmjs3gbwjjseswef2s7rxpt6ftodsqmnoi6q._file

Verdict:

malicious

Label(s):

agenttesla

Similar samples:

258475fb4d0c7c39b4d702172b78d67fc9223792061729543c97d0950c396b5e

35912ff3b78d0699082450202cc16cec5c11447c39ec0e4db7738c188662f0c5

3832b8b199ec2a5c06dfc3ed80a489583043e6477668370861380ee5306d9e55

4c66ebb40e5abd92b6a6985e8409116c5424ebb9af0c320cbafb031698e5022c

56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497

7042e48f18a5ca3ee1f07fe417f42e89369a3f3f22e11bada7df9929362ad63a

7a93cc0c53a02b539c07c06f9fc2d0e9b3794e6c33165e4e7cbe34c569e31278

91cfa121b109ceaceb8ca6dcef72ac69691291facec3569755f13c4a87f6da75

ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317

f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4

+ 9'229 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200818-p4lv2meave/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

gz bb1f8f1a6289a6614336fc9bd608e67225b986c300152ee1c1f70add151572ca

exe b07177183a0f5cce808293132d98364a64495885d4bf1bbe7e2cdc39418d723d

(this sample)

Dropped by

MD5 577ee35a9db2a0014e4101006df171b7

Delivery method

Distributed via e-mail attachment

Cape

Cape

https://www.capesandbox.com/analysis/47602/

Dropped by

SHA256 bb1f8f1a6289a6614336fc9bd608e67225b986c300152ee1c1f70add151572ca

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample