MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c4c50cf3bc3e1096a29ec0c968224cd64a080a34322d2f7d27a75d2f992cd29d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c4c50cf3bc3e1096a29ec0c968224cd64a080a34322d2f7d27a75d2f992cd29d
SHA3-384 hash: 0895f1dc054ce1bd34097b8ec3585dec726fd5358575d2e627e47752e231c0b7ecb55c890e92d6ed5b4e77eb5240cecf
SHA1 hash: 15e57ec49f0d7fc6936ca88c8946b97bb942e916
MD5 hash: 20da25eaf3a27483c08e99120b868454
humanhash: wyoming-uncle-delaware-arizona
File name:Order_List July-2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:943'616 bytes
First seen:2020-07-09 07:57:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e335e0f383b17202864efb975d29d538 (14 x AgentTesla, 6 x Loki, 3 x AZORult)
ssdeep 24576:UkAVCi74LofeHXecQmiDXeOjLcXV3W4FJh52:Uiiuo2Oq4XeOjLcXVpFJhM
Threatray 11'228 similar samples on MalwareBazaar
TLSH 11159D22B3914833D0631A3D8D1B7778992ABE122E28BA4B7FF55C4C5F3A6403975397
Reporter abuse_ch
Tags:AgentTesla Endurance exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: sales@belbev.asia
Subject: New Request Of Price Offer For Your Products / SHIP TO SINGAPORE
Attachment: Order_List July-2020.r11 (contains "Order_List July-2020.exe")

AgentTesla SMTP exfil server:
smtp.desmaindian.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/23558/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Launching a service
Creating a file
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c4c50cf3bc3e1096a29ec0c968224cd64a080a34322d2f7d27a75d2f992cd29d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-09 07:59:05 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ytcqz454hyijniu6ydewqism2zfaqcrugiws67jhu5os7gjm2koq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
46e4f16115ed5c3689638efe671b3b8d9fa2deca92afcab330d31f99a5fb1850
AgentTesla
58e2c70cfbd44f3c9923c3b1e1e07e9a487c781374879b45121082c0173c2ed2
AgentTesla
61b6252c6e94348dfb52432de874d4784801bbf11016af055d2b625c1ec65463
AgentTesla
667ae0abe8e26c9518983da85ba06110e8a321c52497348bd8fe57a61cc7695b
AgentTesla
6737a73c3d70c5df327bbba6c8eb3769f6da5bf8e90a87a1e3a4c2de29b5408a
AgentTesla
775f508ce9aa128d16970e85f0b02f8f200c50dde94a1e345621069dd7042330
AgentTesla
934982623de62355613d2c7e8f8d1edee0a5db84c99636fb9ee543e7cfc6a079
AgentTesla
ae451bf0f958bf82ce70a55e5e0af6fbb70f1b06cd0bacb5bdc196c16f6da11b
AgentTesla
b3bf1c568dfbb2a1af09b07eb0a7aff6e2d7addbf3c51e4c6850ebc96afd103e
AgentTesla
f1dce00c5aa4c6e5023465e1909245114db371694b703c291bdd29de9e7806a8
AgentTesla
+ 11'218 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200709-eq2n7djgd2/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar daea3d388a69a86412d2c437f1a4fab7e8d0911df7061c570b346cbfa5cdde50

AgentTesla

Executable exe c4c50cf3bc3e1096a29ec0c968224cd64a080a34322d2f7d27a75d2f992cd29d

(this sample)

  
Dropped by
MD5 280ce5b6a139fd11dd345b3f51987360
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/23558/
  
Dropped by
SHA256 daea3d388a69a86412d2c437f1a4fab7e8d0911df7061c570b346cbfa5cdde50

Comments