MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dc7b55d9c01a9f7812b06be0f41d45c82305f07e25a1232bea4f00a6dea45c6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dc7b55d9c01a9f7812b06be0f41d45c82305f07e25a1232bea4f00a6dea45c6e
SHA3-384 hash: 13226af241c63f583991ea98efe772e89460f10247924752ceaadefebc33b975bae7a09e5f156f9c366b22f59e997af0
SHA1 hash: a75530b2dfea55d6d5136807d24584fc96a03510
MD5 hash: c3387fa27485161258e1abaca64d9dac
humanhash: black-fourteen-ceiling-football
File name:Proforma Invoice.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:537'088 bytes
First seen:2020-05-27 04:27:09 UTC
Last seen:2020-05-27 05:53:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:aZb5agjQ4mukm3T+aOIH9fdnFdljKghzPBJrHBPphlS:uQ46KdfdnDl
Threatray 10'605 similar samples on MalwareBazaar
TLSH 3BB4BE9C3350B6DFC857C976DA681C64AA61747B570BD203A42312ADAE0DBABCF114F3
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBA.25161.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-26 20:22:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02598592bee4d0e9a9b20966d8843b3541d7041a7e307b091369f0554e28888b
AgentTesla
0382884e9d5a700d9e0b587cafd5eb5849b5cf65396de1af8210e20042194bca
AgentTesla
135745622b39e964a7dc0406ee50a938d21a3627508b0c431cf9571dd1a71403
AgentTesla
16ea5dc52c94b89cae902c89ca1e1d5572268b83014fe2d8175061f654295ba2
AgentTesla
3e12b0587d24f1f28bfc04ac59f0479bd458d042e5ec0602276ca8044c5b77ce
AgentTesla
5ce2d2774ba40e6dc9997abefd9d8d50321eb37b26e3b6963add26877f036a3e
AgentTesla
638c1a92d23c9660163d8cc9e985189afe678096062a115ac08187d89a2e4149
AgentTesla
a4a97ffddcc1f86ee8d3c45421375fb560f3b9aa9428cc3079cffc1edf930d0d
AgentTesla
bc3401d05a180606f7593e377e8bb1070c06c90cde1e268954f43e44d8b571a6
AgentTesla
c5b7a21aec63cb037d441c6e850b500567b1937c21e4f842fbf73930a6ec62a4
AgentTesla
+ 10'595 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-zxmbqn2w6s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9f012edbfb897f768764fb3d66cf545f8a1b26f4b9f5bc98c1966aa581cbfa6a

AgentTesla

Executable exe dc7b55d9c01a9f7812b06be0f41d45c82305f07e25a1232bea4f00a6dea45c6e

(this sample)

  
Dropped by
MD5 55549c2e41ee73c562f5df07d5d6473a
  
Dropped by
SHA256 9f012edbfb897f768764fb3d66cf545f8a1b26f4b9f5bc98c1966aa581cbfa6a
  
Delivery method
Distributed via e-mail attachment

Comments