MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82
SHA3-384 hash: 63a25202f06ae402d9e7477af76e2b74080f286c19cf6588f23e9bc9cabe4238d11bbe2bb177e9c83ff948565a1152ee
SHA1 hash: 7c0ab3ca064486c51c3df1bc1998315ab2c9adcb
MD5 hash: c2a67ac35ee618dca130790dd9ae2d3b
humanhash: lactose-video-chicken-mississippi
File name:Order# 1391914.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:887'296 bytes
First seen:2020-07-22 06:13:34 UTC
Last seen:2020-07-24 00:53:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:IQ/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAl9PKPLZn574FSReREq:zaaFabDs7btHlttqwmUPGLZnhTwT
Threatray 11'766 similar samples on MalwareBazaar
TLSH 69159E62F2934833C563DA3C8C5BB678982AB9111A197A476BF44F4C9F3E64338352D7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vm86.entorno.es
Sending IP: 195.162.18.193
From: Sales Coordinator<info@ampsprayers.com>
Subject: Purchase Acknowledgement PO# PO_009237-1 -- Order# 1391914
Attachment: Order 1391914.pdf.z (contains "Order# 1391914.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/30739/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 01:32:31 UTC
File Type:
PE (Exe)
Extracted files:
2
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wteez6ivydzjvawa7kgz47dziazy5pw7iwgopvfrq6jvxvn2t2ba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0b8816ca9d3b6f03b3a60637504d206815c6bf230cf410ccce9af1bdea3d2839
AgentTesla
114b8b1a7eb6546c02b917e7c00e493d92c4058704ff3166126ce0b1df4725ff
AgentTesla
1d9b1d8e395cf453f297112e35358e0bfb4a80771b80766c14d228e1d4914b13
AgentTesla
35a94d699b3b76654146147d5049a618067f3c2081f0b90d28f2b0cb4baf9df1
AgentTesla
454a0a9ef4675eff89f9ecc46d46960c5dbb0f463029f34c5037dcd415019245
AgentTesla
705418b73c1578bf145f86ce7b0b450ee2112082c4cab2083ab362933204a535
AgentTesla
a3f262fc5001f20e6d8fdf3bc436febffa5f4065eec8463bdd767efa2c3f445b
AgentTesla
aabe14b147b240cb1c6bb3f2b55c5abe8126e5507c6b346a07dd426ca1da6fb1
AgentTesla
ce026bee1dbbb52c3350d99531f92ee2cfb8426d79170b839d79e74b99a35e96
AgentTesla
d371f4d1ca41860654d8b400e4162fc379c05c31778f5bb4cbb653766f5be3db
AgentTesla
+ 11'756 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200722-rf51vsy42j/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 51f99a267b65b6a88cdeb64e3d8bfe65f9c1bdcc3e52a40ee4f2bbbdbcf9b5d0

AgentTesla

Executable exe b4c84cf915c0f29a82c0fa8d9e7c7940338ebedf458ce7d4b187935bd5ba9e82

(this sample)

  
Dropped by
MD5 6896a57e7f992e90e427697f9cb2421d
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 51f99a267b65b6a88cdeb64e3d8bfe65f9c1bdcc3e52a40ee4f2bbbdbcf9b5d0
Cape
Cape
https://www.capesandbox.com/analysis/30739/

Comments