MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5
SHA3-384 hash: 4b6e7e4f22b44d4eed83667d0d2c5918be0f374150611f60d74671b854689e9ea74246453903b27f2bfcde888499641b
SHA1 hash: ebef5683355560d5463e66996cc2878f3670d678
MD5 hash: 97d445e3b07a19c03b0645affc4add14
humanhash: wolfram-mars-hotel-undress
File name:Scan_INV0719.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:814'080 bytes
First seen:2020-07-20 06:49:41 UTC
Last seen:2020-07-20 08:10:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:zlq6KltUaGkL2GEWAu3tQ7bO+6BF7rNXEv8dH8XXdBt0/0py/WzCa2YL4HJBUljG:zMfUaGWFAp6HlXEv8l8jcifkEjGw6Jn
Threatray 10'685 similar samples on MalwareBazaar
TLSH 3A055B3879865405D53E0A3688E86AC237B0A9473E52CF0F6DC72B5C9F133DB3E46A56
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.kumarilawyers.com
Sending IP: 162.144.42.75
From: KEI HWANG <sales@hanil-fuji.com>
Subject: Fw: Scan (1) Inv_Ref_19207
Attachment: Scan_INV197_pdf.iso (contains "Scan_INV0719.exe")

AgentTesla SMTP exfil server:
mail.impressindia.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28514/
Detection(s):
SecuriteInfo.com.LuheFihaA.12291.15403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-19 21:04:20 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yraswjld7ijptt5xjjwf63gwh6qxv7iv543uz6cg6o4ar2nad62q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1166c4bbeea926cb730b1069dac2f0d61f8898105224c187b184f0e3e9898403
AgentTesla
350a1cceb4f399c5d7515ede00aa6c9dbf6a6d9a4b96ad87f158005d58faf567
AgentTesla
35cfc1673d87e25347c6ebd9142e0ac184a51c68392c12c3ef7ec2f2ede87874
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
54bd5cfab1dd37a3b3c905c14768d9f2465e770a69dc0c057c2193c9ceeabed7
AgentTesla
585b05096823a09fd7264ec95892658d0a12dc78ef2a8176646428ccc71db8cc
AgentTesla
5c133741b443850a940c58eb5a162c485b8186d0db0c99be3962e277eecca550
AgentTesla
9a6ccb15221b536964b80126a69fe4d0af0ec7eef147b7d6c8385b5913dbca5c
AgentTesla
c7ea090c263f8b67203a9b0a291d1f2711821bd8489caad226f44a4b588a4579
AgentTesla
e939e5ac72af54c976d32967a56e22c82b4c46fc5693ebf04ccdbbd4ccdc3470
AgentTesla
+ 10'675 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200720-hmayxlpz3x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso ddaf012089c54f6e8eaa8716514fd24359ece54166efb2e46d471a5c3bd68126

AgentTesla

Executable exe c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5

(this sample)

  
Dropped by
MD5 d4ce2c8151827421edcc28f7fa90b496
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ddaf012089c54f6e8eaa8716514fd24359ece54166efb2e46d471a5c3bd68126
Cape
Cape
https://www.capesandbox.com/analysis/28514/

Comments