MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee7e73942f7e98f086e9abe234870e07bdd2dc36808c26b8c84f434e2c4fa4c1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee7e73942f7e98f086e9abe234870e07bdd2dc36808c26b8c84f434e2c4fa4c1
SHA3-384 hash: 5e7a7981dfb676241224c0ef85bd84776129750ffa8f2e1ef78f3f8f8808331521237445edac7bcafbf0e79bba0626d0
SHA1 hash: 968f8afaf1561e5c8a3653e8f5953f602dd5f380
MD5 hash: c797d159e47dfbd7a39f6cf22d133604
humanhash: foxtrot-nineteen-blossom-mirror
File name:Factura Abril.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:480'256 bytes
First seen:2020-05-11 14:27:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZEqfCvk3cwaX0ilW1daDTChpPcCd+PC2+8RedL:ZEqfCvk3cwaX0il2iTmPdQC2+zd
Threatray 10'640 similar samples on MalwareBazaar
TLSH 94A4BF1026AC5729F8F59FF42EACA092D7B1785B3895F7AD4CD254CA02E4F40DD60E2B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mx1.tiservinet.net
Sending IP: 178.33.68.12
From: Francisco J Navaro <infomacion@mtt-maxim.com>
Subject: Factura Abril
Attachment: Factura Abril.rar (contains "Factura Abril.exe")

AgentTesla SMTP exfil server:
mail.tarzmobilya.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-12 01:40:38 UTC
AV detection:
36 of 48 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5z7hhfbpp2mpbbxjvprdjbyoa665fxbwqcgcnogij5bu4lcputaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2c2c3f6c2e413e049672375072635c475e9bfec481cbfb1d68d7cc9fe9987f20
AgentTesla
2dee48503995eb6a1fc38e807bea655d420c181e9b832ca5d52676c8cd527394
AgentTesla
5dedf1d8fe82e6567b41fabe389d1bbedd14a6532320abab390f852bcc8bcce3
AgentTesla
7ef5d52f3932900ab7df61a8f7406965279af4a0865ec28c333b75d65b8793cb
AgentTesla
9fb0d4a6cb16d10fc8c584647a21530ec375abf85b5a48d7d7578ebe6dc36f27
AgentTesla
b2a303978225eae9f42504387edb087b85311f789d125edb4ead7066e7047afd
AgentTesla
c0005ff458131bed0541695d27368d84415e219dbdaa6d13fa80ed539e85b90f
AgentTesla
ca8bee78548af15a74451cdf1b85cd25033cd76d340f974d98b315f2d4cc7110
AgentTesla
d569c0cfd280490ff1d726b75bca9e64be8352671e8aaf41b26e583c82690cfd
AgentTesla
f31b8a6cadf10ee7c20d5bb1ae1c3c009a305ae7e17df33912eed70098a4bc62
AgentTesla
+ 10'630 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-gwfr7meh46/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar cf4e9aab51faf6ba3de9470dc1d8d9b8fdcd63ac16c2cb95acb422bb16a480db

AgentTesla

Executable exe ee7e73942f7e98f086e9abe234870e07bdd2dc36808c26b8c84f434e2c4fa4c1

(this sample)

  
Dropped by
MD5 581233f16cc396557aa1d3d13224c883
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 cf4e9aab51faf6ba3de9470dc1d8d9b8fdcd63ac16c2cb95acb422bb16a480db

Comments