MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0f4e90da1cf7b70ef688b9bc4f10a460d747b792f46d91f139e8cd05481059f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0f4e90da1cf7b70ef688b9bc4f10a460d747b792f46d91f139e8cd05481059f
SHA3-384 hash: d7c3bf44f8dfe8a0a37687e133a0bc325f01bfa1414d9e391767046820b8548ff570943d12dc63b424e59d50ab24f4e5
SHA1 hash: 6a9b7d284e4beb6a7a5d2acac6358a3d26f190dd
MD5 hash: ce247941b9dda8e00bbd38b57decf04e
humanhash: orange-video-steak-north
File name:Remittance Advice,PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:411'136 bytes
First seen:2020-06-20 05:47:51 UTC
Last seen:2020-06-20 06:58:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:svcUwK+Q80mnbb6ty/lzN3HwvKQoXsIO9YSivOVeTfvMqQhmYmqSjhjC:vbX6tWlJbXsH9lKkbmLj1
Threatray 10'683 similar samples on MalwareBazaar
TLSH AF94CF9CC78C655AEAA90E7ED063207397EAE7272E42F71F57A800991E473C73463346
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: alias1.industralnews.com
Sending IP: 194.34.249.254
From: Accounts <info@industralnews.com>
Subject: Remittance
Attachment: Remittance Advice,PDF.UUE (contains "Remittance Advice,PDF.exe")

AgentTesla SMTP exfil server:
mail.marketinfosales.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9883/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WEZ.18971.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-20 05:49:04 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2d2osdnbz55xb33iron4j4ikiygxi63zf5dnshytt2gnavebawpq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1de6d8667da47acd79149ba091ed36cf9e6b40e469ac7e49299792c72e21e764
AgentTesla
66a8c938adab25455ae47bf87fb5f2f17954f5a7a65434171b0e9342fbd76770
AgentTesla
6a31202250692a5fc5db29563f8b1f9cea0e2b77fe0261df224717644347858f
AgentTesla
6e3a137a621b11e16fb46aa747fae37564a0cd03e57873193fa5f772a5822628
AgentTesla
7fc9466732f48a13fba7f7169c3eb19bf021d6adc63957ee1c5d57910887782c
AgentTesla
97c3cf905c068daf00bbc9c10810ff4437d953c3263e962b0454d0babcfe5494
AgentTesla
a9f98038cac91d7d9f92301d7738f9187fdc1a879aa9db3373ce1fbe1bbd6eae
AgentTesla
d1af73fc3a8feb9a8254eff6a4a94d1637593ade739fc42da2a4907029fa03e2
AgentTesla
f187aab18607c012460083a62bafb6e17e1b9e6003fc0196695dfd48ae2eb361
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'673 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200624-7p1n32f1pa/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Modifies service
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip bb92e12370872f0879d821fe2795f7b86c4bb84ee06b7445e5a59af2abc7157b

AgentTesla

Executable exe d0f4e90da1cf7b70ef688b9bc4f10a460d747b792f46d91f139e8cd05481059f

(this sample)

  
Dropped by
MD5 acbab1e2cd9000f05592d63dde53fcbc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 bb92e12370872f0879d821fe2795f7b86c4bb84ee06b7445e5a59af2abc7157b
Cape
Cape
https://www.capesandbox.com/analysis/9883/

Comments