MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b7d226784dbf8f2a77af4b279116c799e50e20c99154baed7bfac4c91d5c9b2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: b7d226784dbf8f2a77af4b279116c799e50e20c99154baed7bfac4c91d5c9b2c
SHA3-384 hash: 84e34a01e9a4406f8dbf9a6cb17a7cf5c5fdcb6e046dd4af03ff3acc8ad16cc0cd2c7e7b4dac0daf150ed0073c3d4cf3
SHA1 hash: 11af13d900a8f4a5672a27fac874e5b2db356194
MD5 hash: e27dc9dad12426a13a217a2a8ca524ac
humanhash: juliet-july-mockingbird-lion
File name:comeINV0007576.exe
Download: download sample
Signature AgentTesla
File size:1'024'512 bytes
First seen:2020-07-31 12:06:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:wHAgbCa8sGQTwRwuPcSNPQRI0ZZ/9nYCS+6ta2IIhnMzFpZSYBvjkLY2w:wHX8kTkrPQmKls3hsZB
TLSH D425F52B2A4E9404D93C093D44A559D0627CBD472AD1CB1F7A86378C2EF338B6F36D5A
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: mail.nemoexpres.ro
Sending IP: 109.99.185.45
From: info <avira@3psoft.gr>
Subject: MSC Quotation QUOTE-GRPIR-251381
Attachment: comeINV0007576.7z (contains "comeINV0007576.exe")

AgentTesla SMTP exfil server:
mail.konchilakis.gr:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
32
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa
Score:
51 / 100
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255356 Sample: comeINV0007576.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 51 28 Yara detected AgentTesla 2->28 30 Sigma detected: Add file from suspicious location to autostart registry 2->30 32 .NET source code contains very large array initializations 2->32 7 comeINV0007576.exe 7 2->7         started        11 system32.exe 2 2->11         started        13 pcalua.exe 1 1 2->13         started        process3 file4 24 C:\Users\user\AppData\...\system32.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->26 dropped 36 Drops PE files to the startup folder 7->36 15 cmd.exe 1 7->15         started        17 system32.exe 3 7->17         started        signatures5 process6 process7 19 reg.exe 1 1 15->19         started        22 conhost.exe 15->22         started        signatures8 34 Creates an autostart registry key pointing to binary in C:\Windows 19->34
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 04:08:21 UTC
AV detection:
17 of 31 (54.84%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Behaviour
AgentTesla Payload
Agenttesla family
Threat name:
AgentTesla
Score:
1.00

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe b7d226784dbf8f2a77af4b279116c799e50e20c99154baed7bfac4c91d5c9b2c

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments