MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cc75bdcebd9658c79051c35083b71ba78672538a14d34ab0d1f396c6b1c4ea69. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cc75bdcebd9658c79051c35083b71ba78672538a14d34ab0d1f396c6b1c4ea69
SHA3-384 hash: 4b4aba9eb07957a266c676dbdfd4fae6503104025099663225e6a8c607950a2a8d53298b06410298575335896dcfeb87
SHA1 hash: 8587f562a557e40f765d83ca9c55ccb44cfcee0b
MD5 hash: af7e58562b19323153abd6a02b8d70ed
humanhash: low-ten-bacon-mars
File name:Payment Request - invoice G3181992 [200126-008251].exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:509'952 bytes
First seen:2020-06-10 07:06:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wx9DPvHGxRlgDtOT8PVflEE1lG2Ljmtn53ii8Wc5YTQLh4XUhNA8Qv:w7DERlkOT+V+E/G2LM53xckQLw
Threatray 12'377 similar samples on MalwareBazaar
TLSH 71B4BE883650B2DFC827CC7689E81C60AB61A56B532BC247A44712EDAE0D7D7CF146F7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: hameedentr@cyber.net.pk
Subject: Payment Request - invoice G3181992 [200126-008251] PAYMENT,
Attachment: Payment Request - invoice G3181992 200126-008251...pdf.gz (contains "Payment Request - invoice G3181992 [200126-008251].exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 07:08:07 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zr233tv5szmmpecryniihny3u6dheu4kctjuvmgr6olmnmoe5juq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
153a46afc5a3b15da6598ce740a8aef66570875659e706fd91d501978cf87e46
AgentTesla
30fdd56ea8646781decef9395d191a98f9b0319bff33713a6486137274efc270
AgentTesla
4f7cbe28e76cbbcd0b554381e0dddc42d29f7ef59716101825addb74a10011fe
AgentTesla
53067d01c3271de3d669db24bd569022afa0350320da1fe1466c3670f8b02c27
AgentTesla
5cb62c0b64b7565e18107e60afd7c151938a27d8a183ec8cae4945bee2b00cf9
AgentTesla
6a47bf03b1ffebac3ef5497af7d67aa562f3c401c3694d8551f7092f7f469313
AgentTesla
7193d497b1b85ec895b6d2c976a2d102a1a33d52b029a233d94a12cae12bd6f9
AgentTesla
746a353b71345f9e27dc628cf30df6004370b4c8276c236704cba896debb2b2c
AgentTesla
9eb70476477594ee698676f3216e14549bccd4e350f9540eda72694901ba4129
AgentTesla
ed15459a7fd8570fc69235cac35dbe1617fa919c6c09a1978df30952b2af53b1
AgentTesla
+ 12'367 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-cp2tkjh6an/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 5c2afec95e5c8986d5ef1f635ab651f64411d0ee8bcdf199c35fbc3f586efbee

AgentTesla

Executable exe cc75bdcebd9658c79051c35083b71ba78672538a14d34ab0d1f396c6b1c4ea69

(this sample)

  
Dropped by
MD5 cb106fc89d66028f885c9eb80f6bad65
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5c2afec95e5c8986d5ef1f635ab651f64411d0ee8bcdf199c35fbc3f586efbee

Comments