MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e7e7041b16466bd06811dc949564fdc2cabed3c4f7e8957581f0a4b53808ab0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e7e7041b16466bd06811dc949564fdc2cabed3c4f7e8957581f0a4b53808ab0f
SHA3-384 hash: d3d7f25b06342a2e4e622dae6ba0f118351b967da2a70fe4d05380639bf0ccbfb83bfe9df91e4d0035622c74b3c80e2c
SHA1 hash: b824a90ea2adddfd1dbd840351dc2dded98d8963
MD5 hash: 70c9f377ddfdd0fd1e9ae71bed456205
humanhash: white-zulu-nineteen-white
File name:Akbank Hesap Özetiniz.r00
Download: download sample
Signature AgentTesla
Create hunting rule
File size:694'784 bytes
First seen:2020-04-30 12:51:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:k4kYg0hGSRH00mj86qom13WJt2DbGhcDG5RvZz/COzPBRphWf+X/ljVgR8roqPOv:nrVQj8Bnkt2YRRrVZD
Threatray 10'547 similar samples on MalwareBazaar
TLSH 15E47DA8369070DFD527DA72DEA42C64EA25B877630FC2076013229D9E6DA97DF101F3
Reporter abuse_ch
Tags:AgentTesla Akbank geo r00 TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vps.grupoescala.com
Sending IP: 82.223.18.162
From: AKBANK <noreply@akbank.com>
Subject: ARALIK 2020 Akbank Hesap Özetiniz (Ref:188523\x0a2366)
Attachment: Akbank Hesap Özetiniz.r00 (contains "Akbank Hesap Özetiniz.r00")

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-04-30 13:36:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
11
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=47tqigywizv5a2ar3skjkzh5ylfl5u6e67ujk5mb6cslkoaivmhq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0702729c34578ee78cf3cb883ee298fc4aa67dbb433981790605e4e4afb642ff
AgentTesla
1124da58762740281b121d01e786049684dded210eaaa709b5e4d9bc0190def1
AgentTesla
3eb30f7fa77eeed5c687b9514c1ef0e9cca4778a514e30a2a0c07949945407f4
AgentTesla
ac979891a231a3af79a31a52663f77fe151bbbddee9b13750ea02e82f6aefd40
AgentTesla
b36cdef1bf3b71c8edb27b1d2eabaa00b2df89f3a46bc9c727f4dbb6956fcddb
AgentTesla
bcc9c0d2162cec6b418ab08905642c181d2c24b95a4a387242f73cd5d4410bb2
AgentTesla
c964296558dc6cf1a3e305f48af7ea8b6736ef61f01425dbfabc6fd32cd4eb87
AgentTesla
dd5e99c3b05f5d4e9cbdf8b7f28a233618b3d2abb8a7cab1a10fdbcdd859dfb6
AgentTesla
e8917cab54dca8c56976f8fa973521d58d0fc5abc196906a2aaee1e31c8b007c
AgentTesla
f349c4c241a5ce1565b3d584dc1158fbc4e9766d99becca69c5d4d848de0fefa
AgentTesla
+ 10'537 additional samples on MalwareBazaar
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c0635f3c24d5c6d3daf17913de22d6e6

AgentTesla

Executable exe e7e7041b16466bd06811dc949564fdc2cabed3c4f7e8957581f0a4b53808ab0f

(this sample)

  
Dropped by
MD5 c0635f3c24d5c6d3daf17913de22d6e6
  
Delivery method
Distributed via e-mail attachment

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments