MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f1677cc4e344449edc0f1aee639dd24fedd8a91bf17b4be11e3b71543bac301e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f1677cc4e344449edc0f1aee639dd24fedd8a91bf17b4be11e3b71543bac301e
SHA3-384 hash: fefd9699000a369fd3ebca6a3f1a215e7b375ba634408a81850fda0a973b6a3bb67c0bab13a7a34890ec31755fe8505e
SHA1 hash: 47fb70bf5623f677e65700c93d275f6b54a88012
MD5 hash: eca7c987418ed08b28e1f61ed404cac0
humanhash: georgia-fillet-oregon-river
File name:Order1087240pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:570'880 bytes
First seen:2020-07-21 07:26:23 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:SfzG3WA4wLgbmVqBA/OKlyioVCY2Cd0IqJK9L:Czv5wcbmVjiigmUqJg
Threatray 130 similar samples on MalwareBazaar
TLSH BEC49D10D7B84AD9E3BA57BCE874010487B4B50AA7FAE7590B82F0ED1822711DB17F67
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mfwd28.mailplug.co.kr
Sending IP: 14.63.195.62
From: 한국종합기계 <hangook@hangook101.com>
Subject: New Order INQUIRY 1009362
Attachment: Neworder-Inquiry1009362.img (contains "Order1087240pdf.exe")

AgentTesla SMTP exfil server:
webmail.saritatravels.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29794/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Spy.21473.24451.7992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392713
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/f1677cc4e344449edc0f1aee639dd24fedd8a91bf17b4be11e3b71543bac301e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:28:10 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=6ftxzrhdircj5xapdlxghhosj7w5rki36f5uxyi6hnyvio5mgapa._file
Verdict:
unknown
Similar samples:
0c14de05af14835140799c2d9be3c80da30d7938fdcffc22edc9f6e0ec4b9994
AgentTesla
78fe45d6d5097ad57ebd01a350321546e60e79451b89ff0c45ca781f3c4e35fd
AgentTesla
7985804e27ef80e2dbf7bafc62ca022f600ceb1b9f636a90d0e3826eb2aeb978
AgentTesla
95f2db0071adb3c99b50c41ecdecbe4c6c18e9318bea7d8cd6743aff619a9f8f
AgentTesla
9d604c08ee1d3c2f747a0813ba0b38fb34477eca74a73176939f5a37a1ba5bc5
AgentTesla
a25e8f53a69b01074187de880fcb4a2e8fba9b32d781957162fb8fef4fac85b1
AgentTesla
b6e6a78efe43a85893d398bdcb56f913b48e5ab649bbac0ea305177ef55a0747
AgentTesla
c3418a3272d2f9a7b3121655ac783ce213a3d4557def273d3d3ae170ace88974
AgentTesla
d17f81844d81aab1740d9fc2992ae741df0636cd8eee2be31caa84a480e561ab
AgentTesla
f0bdd59b67a442209f68d9adf125fbadd7e99324ca917822d5f5f29e976b5b26
AgentTesla
+ 120 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200721-9w64fnaj1a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f1677cc4e344449edc0f1aee639dd24fedd8a91bf17b4be11e3b71543bac301e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img f17529fa89fe55728e6e6204f78cdc50679f910177d01c4395924391f8b914f4

AgentTesla

Executable exe f1677cc4e344449edc0f1aee639dd24fedd8a91bf17b4be11e3b71543bac301e

(this sample)

  
Dropped by
MD5 4faf64ae2ad1bde6bc240acbafff5ed3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29794/
  
Dropped by
SHA256 f17529fa89fe55728e6e6204f78cdc50679f910177d01c4395924391f8b914f4

Comments