MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7527540bcae5dfbab3170179e1d71dd1bdd1c923ad260a1688dce844e28c3f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	b7527540bcae5dfbab3170179e1d71dd1bdd1c923ad260a1688dce844e28c3f1
SHA3-384 hash:	f3746c31498abd1a308dce2dad526f31257269c79190b3d7bf7f3c31616d73f20d6705f78ac16baedfceefeadb3f5379
SHA1 hash:	a5c35e278accbf4209834b303abab88b82e81b33
MD5 hash:	46e291ce9992d8a511aabd59059caa72
humanhash:	indigo-spring-idaho-xray
File name:	financial invoice.PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	468'480 bytes
First seen:	2020-07-10 11:53:03 UTC
Last seen:	2020-07-10 12:56:59 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:V7z1Sci7ZZr06QYUzo5isr6BfCTCxxbaLAQ3:b07ZypP67TCHaLJ
Threatray	10'677 similar samples on MalwareBazaar
TLSH	FCA4F18871B8779FC16BD7F28A246C64A3717067970BD2478C8324DE586DF82CB50BA3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: eubc.com.jo
Sending IP: 209.58.149.66
From: Hassan Al Hemsi <H.hemsi@eubc.com.jo>
Subject: financial invoice
Attachment: financial invoice.PDF.rar (contains "financial invoice.PDF.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/24380/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.380.17433.31201.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Launching the process to change network settings

Enabling autorun with Startup directory

Unauthorized injection to a system process

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b7527540bcae5dfbab3170179e1d71dd1bdd1c923ad260a1688dce844e28c3f1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-10 11:54:07 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=w5jhkqf4vzo7xkzroalz4hlr3un52heshljgbilirxhiitriypyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

130a1070851bfc4e41ace49185b630338cd5c108a53e0d46d09a0abb258ece6f

AgentTesla

448b0a449c23cf6b69459242a709785a3fa1c3cae3d4399673f2e20d0eec6be0

AgentTesla

8ea404b56d3341cbcc42c2f9b99c6cf8aa457d94b5319e19bee72859be9b1c32

AgentTesla

9742adf8c511be66c57c236b2849338090c3b7cc0f7ac13f5ff14cdcbfe19912

AgentTesla

b699a2766f106ff77377780bad431b72ef1748bf989e09f2b82fb73cf30cbde3

AgentTesla

cd9532fea4c331fed21dd929be9a963c50662e545e38a63fcae56cf13199fead

AgentTesla

d6fb73252e37f4b2e507e97ddd633c789f7f947ee48b1e564330f4c1529eefb5

AgentTesla

f892f7e0b4bcfd9084ac791d72a87a95a16ca175a154faf0a2e24da5dd205bce

AgentTesla

fa355139bfaa9fcf4324154194f2cb280899be4863fd278c7b06440d84a14d39

AgentTesla

+ 10'667 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware persistence keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200710-cfd2g8phhs/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_g2 Create hunting rule
Author:	Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a5a9954a6f02518febb9d9519a407097

AgentTesla

exe b7527540bcae5dfbab3170179e1d71dd1bdd1c923ad260a1688dce844e28c3f1

(this sample)

Dropped by

MD5 a5a9954a6f02518febb9d9519a407097

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/24380/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample