MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f077dec4e7550bb42ddcb70f5e8ffc4f9573579a31175726cb61669501cac299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f077dec4e7550bb42ddcb70f5e8ffc4f9573579a31175726cb61669501cac299
SHA3-384 hash: b93295b492927305c02d06c0a634147f508fbdb9dbaa468377cb39bbd5580b17ee45d6213b0e25d26b4fd8fee7511f76
SHA1 hash: cd486930bbc77e3a9c855cfad70d10282e98ea62
MD5 hash: 13745d3305f94684a346aa8d12cac8ce
humanhash: mockingbird-comet-london-sixteen
File name:169287394-75414-SANWVDDNETP0034-3.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:614'400 bytes
First seen:2020-06-22 13:52:00 UTC
Last seen:2020-06-22 14:48:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:zkoS6Waobk2BUmPvEKUZveAP6oI8UIC080kfu3zUdeiyEDOUZ8:gcoo2mUvEKUZD3CK34dehEDOU6
Threatray 10'801 similar samples on MalwareBazaar
TLSH 86D44B2E7A817816D13D0A3204E965907372E6873702C70F7ADAD7AC6F212DF7B462D9
Reporter abuse_ch
Tags:AgentTesla ESP exe geo Santander


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ideanto.plesk.trevenque.es
Sending IP: 217.18.166.142
From: Factoring y Confirming - Grupo Santander <fycuot@gruposantander.com>
Subject: Confirming - Aviso de pago
Attachment: 169287394-75414-SANWVDDNETP0034-3.pdf.exe

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/12629/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.2041.2729.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f077dec4e7550bb42ddcb70f5e8ffc4f9573579a31175726cb61669501cac299/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-22 11:32:35 UTC
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6b355rhhkuf3ilo4w4hv5d74j6kxgv42gelvojwlmftjkaokykmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01756885591950ce684aa986ed7da04c5b4cc98ecc9e919866071eda128b4342
AgentTesla
179a71404be2a13e8c37211d5b2d2f1b7339520b2a94c2f9d7b53227a7b92cdf
AgentTesla
3569d46f24fc262031aad2932c38bf1347420472f197628c622a45e6b061ca76
AgentTesla
573535f4daf60e724e68c766dfa8ac52bb96b33d4bbe307e36730725dd0f40b0
AgentTesla
5bce10125f245dab9ac4ef1c0dece6313b43512e721f70f7c4846ebb23b1cdbf
AgentTesla
5ce4d4f2a15924f200619b7140bd99faad88758c0d0f0cfb4eb9d166fe2f41e3
AgentTesla
6a9aed50d116430db97c672e5b6083da7f6b3d0221cd9bc35de7ee4dfd54e6f0
AgentTesla
8e06f5c0b680e598a1063b921faa1568b00608fae457fedc04a53bc4637977ef
AgentTesla
c7839a3137610ece15b06c73cb4e9ad2b7d175630c13717649974d1965d1235c
AgentTesla
e0b1475da71d2c099ae959dfe1d9406fe992efd535da154bf2e423e14e8376aa
AgentTesla
+ 10'791 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200624-knn435gdsa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f077dec4e7550bb42ddcb70f5e8ffc4f9573579a31175726cb61669501cac299

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/12629/

Comments