MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c01176f8ccb757f80cb32c809cfe0ceec9e100b199d4beec5f92adb824517869. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c01176f8ccb757f80cb32c809cfe0ceec9e100b199d4beec5f92adb824517869
SHA3-384 hash: 7e5a09bc5188bc144cac7b8322a7bdbc6fb9b9095aabbd01af9e253a6e35a61a63e51a58cd4e0cd13c41dbf18793da30
SHA1 hash: 46dada6d2eda24b9d9baa954dcad8860a8848126
MD5 hash: fb20529923ea7480ca21d00fce76c327
humanhash: minnesota-moon-massachusetts-romeo
File name:AWB#5421457894.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:692'736 bytes
First seen:2020-07-20 07:25:27 UTC
Last seen:2020-07-20 08:10:26 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:4lq6KltUaGkL2Ga6fWlw/TXDBY29M5LXyBEosyc71jdUEvdnm0X5GYzXP8vFJyDP:4MfUaGWFDXDOssTyyNn71BtnlHXmNG
Threatray 10'628 similar samples on MalwareBazaar
TLSH 23E45B3D3A426416D73D0A3284A499C066B562473F12CF0F7AD717AC9F037DF7A06A6A
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dhl.com
Sending IP: 103.99.1.141
From: DHL EXPRESS <noreply@dhl.com>
Subject: RE: DHL Shipment Notice of Arrival: AWB 5421457894
Attachment: AWB5421457894.7z (contains "AWB#5421457894.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28546/
Detection(s):
SecuriteInfo.com.Mal.Generic-S.14946.1320.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/390928
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c01176f8ccb757f80cb32c809cfe0ceec9e100b199d4beec5f92adb824517869/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-19 23:53:36 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yaixn6gmw5l7qdftfsajz7qm53e6cafrthkl53c7skw3qjcrpbuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0fb739ef1d92cb9e84d30184e289bdcc2e1d851d302e69665d34ce9768c3ddbc
AgentTesla
3bf2b67fb65e52b1ae2091d5ae6d569079c6fab8d5d99f8ebe0b179158efdacd
AgentTesla
5ab5e18b5ffe74e4c3ccf07f2e19f2daf006338022e64806b284eb8e0f0e1c15
AgentTesla
89f49fc426262096d0c4c40eace8339a1c09de5e3c6e1d7e0b570ba08713d9db
AgentTesla
9279a522d40389c547e400b7a2f4f778cb7fb48736803eabc4000470ccbdfd6c
AgentTesla
973de14a37f6408161ec0ec249a50527d3cdf4bf7482a67134ac7b0c9e3b7a25
AgentTesla
9a6ccb15221b536964b80126a69fe4d0af0ec7eef147b7d6c8385b5913dbca5c
AgentTesla
c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5
AgentTesla
cf8d42cb55e45c4d75fae6e07b6802ae059fff427510b16e754d36e522b28a80
AgentTesla
efe9be78a8da440c576162c8bd5498972ec6134b4276c05acb6a3b060a4013bb
AgentTesla
+ 10'618 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-z4qh2zqqgs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c01176f8ccb757f80cb32c809cfe0ceec9e100b199d4beec5f92adb824517869

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 5f3ae1dc435ebdcc054f21afe4987b4db5b00e2ac8e9b89d9b447e60d9fbe553

AgentTesla

Executable exe c01176f8ccb757f80cb32c809cfe0ceec9e100b199d4beec5f92adb824517869

(this sample)

  
Dropped by
MD5 778425310058efb130329d819b66f0fd
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28546/
  
Dropped by
SHA256 5f3ae1dc435ebdcc054f21afe4987b4db5b00e2ac8e9b89d9b447e60d9fbe553

Comments