MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b4f20fdfdb4f4e477ae4a2c5edb89d474914a29a0244c8abb6b69eadc534ef5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b4f20fdfdb4f4e477ae4a2c5edb89d474914a29a0244c8abb6b69eadc534ef5b
SHA3-384 hash: ed5512b2f36cf95837a74dc2fb5cac57959cb5d57a4d12499a5c6ccedf7e6b76868f44e4b512d1f756fc83c7a1fd1a42
SHA1 hash: 28b44db3fc00c6f73a0ee211fe6341919d9a510b
MD5 hash: ca9d362d5fa055a3e978a1e6c7ba4371
humanhash: asparagus-lamp-equal-lamp
File name:Remain outstanding payment invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:551'424 bytes
First seen:2020-07-16 06:18:41 UTC
Last seen:2020-07-16 07:03:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:UPWlR2k4zUXhvXJSeLoehSHpHZzprmJxV8VdP:Uuxh8eLoS2HPr7
Threatray 2'826 similar samples on MalwareBazaar
TLSH 90C4DFC83950A94EC95E8E758954CC306A302D22FAF6E24727C7BEDF353D786CA41693
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: brookplast.com
Sending IP: 209.58.149.70
From: Riyaz Ahmed<riyaaz@brookplast.com>
Subject: Fw: outstanding payment EUR2 Invoice with SOA
Attachment: Remain outstanding payment invoice.Ala Eddine Boukhzar.pdf.gz (contains "Remain outstanding payment invoice.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/26323/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.19481.5475.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/b4f20fdfdb4f4e477ae4a2c5edb89d474914a29a0244c8abb6b69eadc534ef5b/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 06:20:12 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=wtza7x63j5heo6xeulc63oe5i5erjiu2ajcmrk5ww2pk3rju55nq._file
Verdict:
malicious
Similar samples:
067b9d06a47a9ca284129833cf4d79dae27bb36c6bccef4bb6ef01bd649db763
AgentTesla
0bfa0a1210892f7fef260ec1090df1ebf6d0d7b1cb607d19e8b5d791aeb157d8
AgentTesla
16b59963cf5398fe9d50d18723bf7b78073a6fd4d1dfd3072b45b8852ead2d58
AgentTesla
2a9ff7b8ca6a12f714779ecdcd2d86ccf9ad03da04de4a45aa8c3c97b7209c8f
AgentTesla
5e110b46db054e7b3b2e12592791e89e76d8baf65c215c1a577ec2016c3c81e5
AgentTesla
6c14f83aa09c4b45b49bc66096834c964a934f8d171733babb829aaf1f6d579e
AgentTesla
a221aea48e4c8450ffde297704231b8023ee99a1e98892c3958dc3072bb33f16
AgentTesla
bfc3d6d12ca4a76297cf920edbdfe491c6be14e42e6b9c0722ff5efb5bfb6377
AgentTesla
c55adee81431d43a726c2b55b4153d234782a0c2ca454a4ef55527d41d86fdb6
AgentTesla
e0f7770371bb6692870714c68bc5e4d770864d3fee263a1fc6defbca0d9d299e
AgentTesla
+ 2'816 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200716-kfpsjtdyt2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz ef677a9d57271377d545f52a8145e8b9b867ff811b11dfdf6a2ceee2744dfc5a

AgentTesla

Executable exe b4f20fdfdb4f4e477ae4a2c5edb89d474914a29a0244c8abb6b69eadc534ef5b

(this sample)

  
Dropped by
MD5 9f5c5b185db71c2cdfed041f17026310
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26323/
  
Dropped by
SHA256 ef677a9d57271377d545f52a8145e8b9b867ff811b11dfdf6a2ceee2744dfc5a

Comments