MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f0996fd1f27a193c71c2384d7a760b3db419a52033707d10f55283c9d2ea147f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f0996fd1f27a193c71c2384d7a760b3db419a52033707d10f55283c9d2ea147f
SHA3-384 hash: 4eb5b1b7122400d25956c9d4010503fcda7ca049e63e83e35642cca42355fe2bd97b24e721ed1747dd4e1cce837f8897
SHA1 hash: a335f319e42402d9943f10aa6647150d59046ecc
MD5 hash: 2c340998f43ae8a7a7261ed32ff0ae6e
humanhash: lion-yankee-apart-sad
File name:INV-080773 Bank Swift Copy 20201405 ,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:607'232 bytes
First seen:2020-05-16 11:22:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Q4Atm8BtCGs/1LAiYhkQJ+TomGyQrlsYvDlGc:JiCGEAiykq+hWpsK7
Threatray 11'033 similar samples on MalwareBazaar
TLSH ECD47B2623B057A2FBB1B4F69C5C6E50D239DDFF8C80F98C1B6179771669260E13306A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gmail.com
Sending IP: 103.133.111.162
From: "Carpanelli Export" <ornella2006@gmail.com>
Subject: FW: Payment Information
Attachment: INV-080773 Bank Swift Copy 20201405 ,pdf 1.img (contains "INV-080773 Bank Swift Copy 20201405 ,pdf.exe")

AgentTesla SMTP exfil server:
mail.ilclaw.com.ph:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-16 11:35:31 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 31 (70.97%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6cmw7upspimty4ochbgxu5qlhw2btjjagnyh2ehvkkb4tuxkcr7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
02466f6a6f4a7b3abd212c5a0b27c8e75a29c2abb19771f22e231321d40f2c39
AgentTesla
48a5abcc8747f68f37186e3ea12f28670ff16653dc7f24315d0b54bac9211cce
AgentTesla
77642de174198cae37f2b0ce29eb087f138800df44a79bd0e589962e9fc64e36
AgentTesla
786be13603b06cce80fac1349c514e29ecd2664a51f045bc5446d2f9647087ec
AgentTesla
78dc559f3c971bf8fe5eb3f669a3b8de8c18313d2c466916fc32fd27ea352700
AgentTesla
8d339c015c4ffe14cd28f423625d45313081c61585ced94f822c7759a7226086
AgentTesla
91236da59c95dd764f85a84297238f215ef0cd3d0fbc37f2a2f15d2f302e2dfd
AgentTesla
9c8bb36e3ceccec2d985267130bad6864b1d9cc8ab286f403d17287573ff897b
AgentTesla
b2fcca31796bd8b38cadccf730710c298c702ab07e24b5d90e691ea047395026
AgentTesla
fe3f9f59dc784955366a2f7c9ff189b39710704b890b2e3aae3ffd0fbdac7539
AgentTesla
+ 11'023 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-tz8mrcn3xj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 33f0e68e874e2a5f91ff91d30fa13fb8217d52cd42ba0543628c8a2d85b22cba

AgentTesla

Executable exe f0996fd1f27a193c71c2384d7a760b3db419a52033707d10f55283c9d2ea147f

(this sample)

  
Dropped by
MD5 c88a85ba93d6d20a720d9f65acddb91e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 33f0e68e874e2a5f91ff91d30fa13fb8217d52cd42ba0543628c8a2d85b22cba

Comments