MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cfdd6d4f9c20199dd0ab9baa8c2a21e9855db1816650c80f06f72cc1b05cd40f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cfdd6d4f9c20199dd0ab9baa8c2a21e9855db1816650c80f06f72cc1b05cd40f
SHA3-384 hash: ac8c62b51da61b6ad0636f093d44a36973644149fcc58260fe6de7c88c6dd2927d3d486493ae381591950a8e469ce3bd
SHA1 hash: 1dd93537ca0f55377da69c47128c196f6addfdb1
MD5 hash: 3309e11f0c1bfc5d7c49da5c8bdf8cd8
humanhash: arizona-ceiling-bluebird-comet
File name:D9730F87@9F6F0C33.D55EF95E.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:490'496 bytes
First seen:2020-06-30 05:31:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:6WOKVWU6nTgnp3KAyAi8eQ//2XkLvecPTVYaCWVzFPSVOj2k7uBZEJx:HWU6nEnWQmXgveGpCWHaVKeZEJ
Threatray 10'597 similar samples on MalwareBazaar
TLSH 51A4E05073F9870AD1BE47F994B010541BB67A16B623E35C8CC134EA5EB37810E6BB2B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.beeinspire.com
Sending IP: 115.124.125.172
From: Prakash International Pvt. Ltd <r.jadeja@pciplindia.com>
Reply-To: rjadeja-pciplindia@post.com
Subject: Hello Sir/Madam
Attachment: D55EF95E.rar (contains "D9730F87@9F6F0C33.D55EF95E.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/16770/
Detection(s):
SecuriteInfo.com.Fareit-FVR97B1CDB35EA0.28661.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/cfdd6d4f9c20199dd0ab9baa8c2a21e9855db1816650c80f06f72cc1b05cd40f/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-06-30 05:32:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=z7ow2t44eamz3ufltoviykrb5gcv3mmbmzimqdyg64wmdmc42qhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19431ff59946eae2bff6bd9ab5dde7fe6cf57495e2ffa388c92544e24f8f77f1
AgentTesla
47ce52b1f15fd49510cfba9d86dce468c950d0a5bd7866f41a7affe9e9508f23
AgentTesla
7348aa6bc1128a83b361be3add1588adb8c41cb7e83fb3bf8625d63521da91c8
AgentTesla
7d7c564bbd04fdd7765b8f5d0ef8c1c21af8a247db06e9d02176dd2d60b5fd60
AgentTesla
a011199cb8b7164445d166285b1b0ebc6df462f34de7ab41856a52f4f3465fbf
AgentTesla
c507c7098b6b3e24a6f84486d8b9e301f154a0227f51a0b2cc28a0ed767e6469
AgentTesla
cb48dbab14d829d20075958b99f179cd774fcb41d105b28d3fac54dbe80639bb
AgentTesla
e8914cf7220c624fd5f19ddc86efa338ec9d75de44249e70ec71cd98880794d2
AgentTesla
ee40db183a9f86ee97dd3803b54d1711d443d25beb0160fd89cd54ad890b8485
AgentTesla
f8e20d964fee50b5c359d91fac02115f74abb37f769c5d1869bbe2fcf22deebb
AgentTesla
+ 10'587 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200630-jdx6cjheax/
Behaviour
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 92d5e8dcca50c4b467ffe375e1859ef1b2851b4f99c9ffe89abd9574a4a00f9c

AgentTesla

Executable exe cfdd6d4f9c20199dd0ab9baa8c2a21e9855db1816650c80f06f72cc1b05cd40f

(this sample)

  
Dropped by
MD5 bdf620bd0e79af247c15354834880205
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/16770/
  
Dropped by
SHA256 92d5e8dcca50c4b467ffe375e1859ef1b2851b4f99c9ffe89abd9574a4a00f9c

Comments