MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d2827b9a0edb006fbb6ade9f63d0948515ace0f6199a5a59725b8279eed54f25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA File information Comments

SHA256 hash:	d2827b9a0edb006fbb6ade9f63d0948515ace0f6199a5a59725b8279eed54f25
SHA3-384 hash:	f786e42e7ba91f5a89df092e2480533705520ff8255539fe808f9d959111780a7cd32a7d10d5f99870577b6d0bc7face
SHA1 hash:	825d2af094f5daf4346bd2240f19d04ca3e3c485
MD5 hash:	ef87f82a6538cd6939e1145369dd2720
humanhash:	asparagus-delta-dakota-march
File name:	Purchase Order.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	455'168 bytes
First seen:	2020-06-09 05:49:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:LHbOX2t/uIsaeVVtovjVFgpL+mFNuCWv68+6:LHbg82UeVYvJ4LtFNdWv68+
Threatray	41 similar samples on MalwareBazaar
TLSH	4DA4EF023384EA25C5BD92B8D696093483B598837F31D6485D2B23D69BD7F90BE05ECF
Reporter	abuse_ch
Tags:	AgentTesla HostGator scr

abuse_ch

Malspam distributing AgentTesla:

HELO: gateway36.websitewelcome.com
Sending IP: 192.185.179.26
From: Lindsay Butler <lbutler@tamtech.com>
Subject: Full Proposal
Attachment: Purchase Order.img (contains "Purchase Order.scr")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

1

# of downloads :

74

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.WGF.1011.UNOFFICIAL

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-09 05:51:06 UTC

AV detection:

20 of 29 (68.97%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=2kbhxgqo3mag7o3k32pwhueuquk2zyhwdgnfuwlslobht3wvj4sq._file

Verdict:

unknown

Similar samples:

059813164c50fcec84c7ff9102154104f870603b59c1226d07d2ae2790c8f4cd

6299f3e36dc84d0d1aa0b460cfe353d8460f8aae5b13aa75aab9d8ea2efc1a7a

64a0f19845c2724ec1e75467da1f1cab42ef3a78914171af40a0c4c8f798a9fd

740937dc2e4ce55ffde8c557976b25715c76db9ee3d7dd0e8f866983575c8621

8c3156c901bae62d20fce1aa07a4c0e0252ac6ab6443877396a37f83441f2b65

9336f77019f21d2e8e512509c4c246925c6b3cf96d03ac45f080bbc330055d7b

e337cef021313425e1bb071d32482f61722d1980e8bb0d2deac6c2cd1f7bce55

e772c14876f251ad71aa44567a90859fef8979860f44c77981d537fca37e7400

f1542701299aa44f2329dde6c86e571ebd11566aec5700ae5dd48c283d7ef6ac

f98d355a4771e886220488b0bffa005af9769480cde5aad275d4166c2f9b2e48

+ 31 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger rezer0 spyware stealer trojan

Link:

https://tria.ge/reports/201109-qrxfdlk5le/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

ServiceHost packer

rezer0

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

img 3c9b168d44513348e99663e460959c85e27ad658a55e32a44ecbb8adb8163aeb

exe d2827b9a0edb006fbb6ade9f63d0948515ace0f6199a5a59725b8279eed54f25

(this sample)

Dropped by

MD5 d3158e36779090f2f8930262ef0d0734

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 3c9b168d44513348e99663e460959c85e27ad658a55e32a44ecbb8adb8163aeb

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample