MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e78e7d17890f956f99183f8524d03f871bce6e82cc1794937d680c4510bb4be9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e78e7d17890f956f99183f8524d03f871bce6e82cc1794937d680c4510bb4be9
SHA3-384 hash: 616777a705f266a4c66fdf6257cd930a877e60c8f40ee9f206a895d09e43309b1008fac5f99b67d809cd340fd81c39fd
SHA1 hash: 64be33035c41fcb68a2c1b576286f902e519a659
MD5 hash: 18376bd1c0ad2d6cc811aab96027da5f
humanhash: magazine-lemon-uncle-golf
File name:Contract Rates.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:319'488 bytes
First seen:2020-05-12 16:16:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash fca6871dbe8ea33b4f2332029983bde2 (3 x AgentTesla)
ssdeep 3072:NCqCmC/kaK/VsPWhAdMdq/+HdpwXFAK9ZVxauxVQ4KV+bar47nrPHTEAs3NzwIAX:qkQWhIAnsQJoIOb23ZLARDyV/qJZKJw
Threatray 213 similar samples on MalwareBazaar
TLSH DB6402516FB80B61D2558BF32BB296B1921EFF714960C8072BCD7E0867F9A80D5137A3
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: clear.gilbertshortsale.net
Sending IP: 193.143.1.26
From: Ali Kassabieh (DHL AE) <Ali.Kassabieh@dhl.com>
Subject: DHL Proposal
Attachment: DHL Documents.z (contains "Contract Rates.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Trojan.Hosts.47568.23872.20348.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 08:02:05 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=46hh2f4jb6kw7giyh6csjub7q4n443uczqlzje35nagekef3jpuq._file
Verdict:
malicious
Similar samples:
009408ca7bf5c48fc1140cbe594f1461defd77206be643e1f9bd548986ad636c
AgentTesla
25d7c4fad856957a1a4b2a146221ca5620675edf33eeecb596a2610bb719a45e
AgentTesla
26a66cf0d4dd345800c6695287e2c2d54a70f98892edffcd27c2f9475ac9ca82
AgentTesla
39c531db99d46a4b3906a41e6e1afdb2523106c795b11eecaf75bc3a1fbff57b
AgentTesla
63f6b1b60bad01e24355ba56b1ffee392c87858a40ecd14d76e51ebe7c3333d1
AgentTesla
67b46301815d5ba32f90af114a459810902ba6d97a75821c8455b8103073b499
AgentTesla
75da456980b6c16a80a05269d6fee93bc18a242ebe0c7f9f014bad8828b09291
AgentTesla
a5e798492ba6892a57c79c635679563eceacb6d1efcc38f5dfc0232518861ca8
AgentTesla
c90c7a5567f9db6866c7028e6dd1da3bbc962c42e5fe17f393fd3aae6c7d63d5
AgentTesla
e25b667d727278544032a0553b0ce93d6634f27be4c5abb8b7f103337bc683e2
AgentTesla
+ 203 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-d9d1qw8zfn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 0879e3df000ba3c68fe594767610aa373c7c19053eae0bac04076a76ce8aac38

AgentTesla

Executable exe e78e7d17890f956f99183f8524d03f871bce6e82cc1794937d680c4510bb4be9

(this sample)

  
Dropped by
MD5 8aac9e0a1f733794f64dfd4bb7252732
  
Delivery method
Distributed via e-mail attachment

Comments