MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 edf16d5a8a574b768e57a54d09c4bbce2476f25bdac71439d0a6a90afea1380f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: edf16d5a8a574b768e57a54d09c4bbce2476f25bdac71439d0a6a90afea1380f
SHA3-384 hash: 45a44736abc3c49d3d043d827cf4b3b667c51796d1be6b5f8710cffe21ddc32e5dac7789dd260a7f443985f0e2e601e3
SHA1 hash: a3cc93eb442fc7e0e03683a317023ce48fefb084
MD5 hash: 3cd6b11f668877eb31d5a0245b14b51c
humanhash: snake-michigan-snake-rugby
File name:k1 cripted.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:434'176 bytes
First seen:2020-07-03 06:04:32 UTC
Last seen:2020-07-03 06:51:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 12288:c+7wni3lO6VJpO1brVbURwrtmGoV4bpcls2KPm1lqR:T7Yi3rLpobrk8tmB8Osi4R
Threatray 11'399 similar samples on MalwareBazaar
TLSH 9A9412A4CBA545B0C55E2BFB96570B70A330B0976C4E5F069F80DD6DF632982ADC07A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: 142-4-22-49.unifiedlayer.com
Sending IP: 142.4.22.49
From: Alice Zhoubiru <info@snaptv.me>
Subject: RE:OUTSTANDING PAYMENT//Original Scan BANK ADVICE.#47650
Attachment: BANK ORDER COPIES.XZ (contains "k1 cripted.exe")

AgentTesla SMTP exfil server:
mail.dadupipes.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/18566/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/edf16d5a8a574b768e57a54d09c4bbce2476f25bdac71439d0a6a90afea1380f/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-07-03 06:06:06 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5xyw2wukk5fxndsxuvgqtrf3zyshn4s33ldriooqu2uqv7vbhahq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
01623a798b7efb749c3409651a85050b58327c7dbe59740f79dac9b78ae24c9b
AgentTesla
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
2adb3891f61ab6b0331e50da04a3cbbfef3a578da513e8360cd567727ed5e790
AgentTesla
7b30f4495b6650b1059c97b73bfb14d5ce76636cfdeaf3f5537a1973e625bcb4
AgentTesla
9be148a7dda520e13c81cdc99219724ca8be064a334f0efe88e2676046e057a8
AgentTesla
9eb1f39ae32ed2c3289f148c0182ef2f8916fe7283400fcffd262798c08ded91
AgentTesla
a550ba5d41e52b9e136cafbfcdfe92148a0111a0e75a5ec3073ddbc0d965de55
AgentTesla
d00396bdc41d762fcc1612605e951071919d7bb0fbce02491c805d2d42d767a4
AgentTesla
dc22c2145431a6ecc75ef2f7271120d8e102cef7faeac96d1d1d6ffb9b680ac4
AgentTesla
e640fad06c4f66298aaa5e4a4beb4a210131f6799ed82a69e5db5da21ec53d7c
AgentTesla
+ 11'389 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/200703-trnqqm86f2/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

xz fc10d5d58ec3354da8a9dd2e63fb452a5af9a47bad5cfe48c1b9eb64750b70dc

AgentTesla

Executable exe edf16d5a8a574b768e57a54d09c4bbce2476f25bdac71439d0a6a90afea1380f

(this sample)

  
Dropped by
MD5 aacc39df915f875e4ec5ca5d83d60b77
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 fc10d5d58ec3354da8a9dd2e63fb452a5af9a47bad5cfe48c1b9eb64750b70dc
Cape
Cape
https://www.capesandbox.com/analysis/18566/

Comments