MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb215970f09e072c24bbc17c0c255447861c7f9f01c357dd6670ca5c49dc2262. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb215970f09e072c24bbc17c0c255447861c7f9f01c357dd6670ca5c49dc2262
SHA3-384 hash: b171082665244a2efde6770195490aec805053d46cb48e53996a8baac69f05d02746059deda76b66b347bb0b36f748f9
SHA1 hash: 5c8ad52c0c3b71e7d74807710832e947ab899b0d
MD5 hash: 016cbdac6e4190c250ad703f65fcb0f2
humanhash: winner-blue-delta-golf
File name:SB RFQ #60520.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:365'568 bytes
First seen:2020-05-06 11:03:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:/h/pG43qDiPyTW54946tHW8rkiK9t44lkGK6zgJlRw0Xg5IOKwNtp:/ZpV3dyTAQ36iKPlg6zuvwva/wn
Threatray 10'632 similar samples on MalwareBazaar
TLSH 5D748B3919FC9137C775C6F68BD48423B214D1E73622AA3476E797A98743E022AD323D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.aduamerica.pe
Sending IP: 198.1.66.95
From: TAY Kok Leng <KL.TAY@kvc.com.my>
Reply-To: TAY Kok Leng <arkshopibericq@gmail.com>
Subject: SB RFQ #6/05/20
Attachment: SB RFQ 60520.pdf.iso (contains "SB RFQ #60520.pdf.exe")

AgentTesla SMTP exfil server:
mail.apipharrnatech.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-06 11:35:55 UTC
File Type:
PE (.Net Exe)
Extracted files:
2
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xmqvs4hqtydsyjf3yf6ayjkui6dby747ahbvpxlgodffyso4ejra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a6f58799573f8dc4cab3ceb48832902460b893bc5607cb77ade332b7d4f3a91
AgentTesla
0d048612a3cb9e6113b539ce3bd2f08f56e604869cdb38edcf02400ae12c3a74
AgentTesla
18ee411e31ac1f4e3bcd2d811b147853bf2977645c631809acc75b7639e7292c
AgentTesla
2b1e4f6443927562d460588af4264fa5c5bdde4b29779588d5c0998269958f56
AgentTesla
5bdd8fb618fac11ac4607b9d16a0183a461366e00f37c09a651cf3fa62a61424
AgentTesla
9297d40e8a55c2bb0d833d2210859dbe1a3486503f47781ac46cbb96d842407d
AgentTesla
ac91a92482a83fc39b66e0e3f6c46839fd77d16316c38830a9921ca707e824af
AgentTesla
c102aeafa1ba9f31a8433b1c3b14f8e555eaf7d2dd5af0cd63403ff0160134f1
AgentTesla
d92c7343d3643bc031c353f789cf3a28d5a152a10f5848bafb2ad99f4a49f99e
AgentTesla
facf028923bb080f70fa54f8c547679651df7d1dbb618cdeda7b16f8fb0f4005
AgentTesla
+ 10'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-vs5f8n9nv6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
ServiceHost packer
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso ac116ca7646dba32431fee10f16471987a62b25423af90bbc247d2ec1cccf663

AgentTesla

Executable exe bb215970f09e072c24bbc17c0c255447861c7f9f01c357dd6670ca5c49dc2262

(this sample)

  
Dropped by
MD5 29290693eec04e92c2cb6c4ba7071476
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ac116ca7646dba32431fee10f16471987a62b25423af90bbc247d2ec1cccf663

Comments