MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8
SHA3-384 hash: e2dc82b84643d788d72dbcd77fbeb15f76d884ddddfcbc7c114332508f5ead6bbb63ed0f85b3057c1e76c99616aca9c5
SHA1 hash: f96e487f573ab188b9516dec0b6ed8fe83325ef8
MD5 hash: 059c936b80f96502d0fd020672f88e9a
humanhash: queen-alabama-solar-apart
File name:Transaction Recipt0000000000000000000000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:436'224 bytes
First seen:2020-07-07 12:51:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 390e29859a8109da4988860f226bf922 (5 x AgentTesla, 4 x Loki, 1 x NanoCore)
ssdeep 12288:V0HVkr49IEvNMH657qeB7pnW4sEe8RWS54M+pk1:VqVkr4h1PRqipDRT54
Threatray 11'248 similar samples on MalwareBazaar
TLSH E89401A6CB403671E04E0973620B4EBE5710F432F2BE4F0B8A169D5DF875367FA96642
Reporter abuse_ch
Tags:AgentTesla Endurance exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: Ashif C.K – Accounts department <info@npfqqtar.com>
Subject: 50% deposit payment transfer
Attachment: Transaction Recipt0000000000000000000000.rar (contains "Transaction Recipt0000000000000000000000.exe")

AgentTesla SMTP exfil server:
smtp.mail.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22276/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Launching a service
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 12:53:06 UTC
AV detection:
29 of 31 (93.55%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=whabeuprrd6qalvd3tgrw5g3fhner5weaui6zfvgwj66hx6jgkua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
59dcd83a970ad6a06178eca59bd9c3bf0e7911af14bd2e0d706b060d8801ed0b
AgentTesla
6829d0fda2947fe416b54669b3bfa03020e2b191f412292f5b6a53abb638bcfd
AgentTesla
68a8d363bbf1320d590f3f7aaa877caabe67c0f9dc465da5342b243e688cb1f9
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
753b13f8023f090e704dcf91b6e9430aa52a83acddcce04638f978bbcd1f0fc7
AgentTesla
935e5bb0fe7441931cbc606436d22e48c1990f2b421c14980b1cd5ae4eaf9975
AgentTesla
9a99082664fba770485b23172f61bdd349863e9803d7a01170e1839026c6a0fb
AgentTesla
a62a90789d488d851050ad121400c40bdcbad55ff7acedca829edff301b0342d
AgentTesla
a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7
AgentTesla
ca0b556ff44259aacea1061aec8f026cca87dd2f8e786349ce312cbc4f8690db
AgentTesla
+ 11'238 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-769lwxwry2/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 643adbbaad6f67ab9972db8a2ca69c13001c93031448365ac2d74c04d418851d

AgentTesla

Executable exe b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8

(this sample)

  
Dropped by
MD5 030ab400795f608b1d7c12339c75d70d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22276/
  
Dropped by
SHA256 643adbbaad6f67ab9972db8a2ca69c13001c93031448365ac2d74c04d418851d

Comments