MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c1a234de258c217baed47f488a8a2cc414ec307f960480c41678b14dad063445. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c1a234de258c217baed47f488a8a2cc414ec307f960480c41678b14dad063445
SHA3-384 hash: d246441f72ba4569300ad17756af6befcf7c09330bf9ab0666d7582f58b8f195e41a8dee9ded5313455c7bb9880e0f41
SHA1 hash: 8f60db8efded3dc7aa3aee185989adcdcd512027
MD5 hash: 527531236e69c6b40c3d564a80d6fc42
humanhash: lion-orange-idaho-fix
File name:POrder_SMC2200519110_MARINEpdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:440'320 bytes
First seen:2020-06-22 07:42:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+Pyferb+at5q81vKEcHpQZJbVfpELLv5G:+aeTq+KEupQpyLLv
Threatray 10'612 similar samples on MalwareBazaar
TLSH 5894E0013FA8470DE86993BE1022425E173277E65661E2CE19BBFD9D1C26F43468DBB3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mout-xforward.kundenserver.de
Sending IP: 82.165.159.44
From: Tina|Hissen Marine & Industry<deckow@rebingul.us>
Subject: Re: PURCHASE ORDER NO.HM200317N63_MARINE - SMC2200519110
Attachment: POrder_SMC2200519110_MARINEpdf.zip (contains "POrder_SMC2200519110_MARINEpdf.exe")

AgentTesla SMTP exfil server:
mail.sevenstars-travel.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12461/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c1a234de258c217baed47f488a8a2cc414ec307f960480c41678b14dad063445/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 07:40:44 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ygrdjxrfrqqxxlwup5eivcrmyqkoymd7sycibrawpcyu3liggrcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10fad4b65a448aaf07a2485e21c8679f9abf3384956f313177e5af3d971ec5db
AgentTesla
1fe9e9760604fed048445b3c79c91d30a9b1cf75a2a689c48181724a91df38e3
AgentTesla
2102f5eded1e2dfd84d46563eeb6e3e78dbc99c55e3aa10bc40db3b412f5472c
AgentTesla
414bb3f2c1e4c38d1e59fdef2342ab4119d135c09a87b678a4646a777b95db7f
AgentTesla
53b46d34f83089daffeabe9194cb6f9bd3d9863d4729cad13838aaefeb85d5f4
AgentTesla
54d05b40cd778ff8328576a776c5f28c5bf6db2c15bd6ccb4dce17a27336d55d
AgentTesla
798676352c75523109a4cd08f282ae658bdde5ba1e77b45d19c8fee68115d3df
AgentTesla
a2e1197998978fb090b0cbdeb9365d22730330c30b9bf53f6b6e0cfe42da856a
AgentTesla
ca85ea610b26c1c9d595cec0108697c662f5580cd9c7d3e26d227f52bb951bff
AgentTesla
d76f0bd1f51c30e542ba1e6dbc01e5937123afb5bcda0a88c0541a3d66c9346d
AgentTesla
+ 10'602 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200624-etyz1sy79n/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

088002acdc881c41e274e49176060e89

AgentTesla

Executable exe c1a234de258c217baed47f488a8a2cc414ec307f960480c41678b14dad063445

(this sample)

  
Dropped by
MD5 088002acdc881c41e274e49176060e89
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12461/

Comments