MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fbc70395ea55477b8827145c12f85133565b1be20e31f71327ea17d2706127be. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fbc70395ea55477b8827145c12f85133565b1be20e31f71327ea17d2706127be
SHA3-384 hash: 3119d0022c9e3926f4eb5b816b16e9b774ac7746d69b700baf2a70675f8d9f2d9cd1981ad9f3819bf2d06366919a4f80
SHA1 hash: a3c11cc089fd8f5db0d673d9f4f63d495ee3cffe
MD5 hash: 6ca7ca71e6777e838bb32c911e5e68eb
humanhash: cold-kansas-dakota-magnesium
File name:[C38226] #TD JMMasuda_Mfg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:836'608 bytes
First seen:2020-05-13 11:04:34 UTC
Last seen:2020-05-13 11:04:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:2S6pPxCt09P9Wz1pvobaRBctp2SfPhHYiAXogG83gOq6:jAPst09P9WPvoOHctpzBuvf
Threatray 1'200 similar samples on MalwareBazaar
TLSH B805231FFEBCA92FC75C15F9A0A1514113F28A16ABA2F7D9DC9291F971C83D68231483
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outgoing8.cpt4.host-h.net
Sending IP: 197.189.247.41
From: Patryk Mazur <Patryk.Mazur@tkship.com>
Subject: RFQ Our Ref: C38226
Attachment: C38226 TD JMMasuda_Mfg.r01 (contains "[C38226] #TD JMMasuda_Mfg.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR.12275.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-13 11:23:20 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 31 (77.42%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=7pdqhfpkkvdxxcbhcrobf6crgnlfwg7cbyy7oezh5il5e4dbe67a._file
Verdict:
malicious
Similar samples:
2120cc9b71de9e66d9450987334dbf4543968a758162c131ca598a60b86f22ce
AgentTesla
43c22ad8da4c7b3702e70d5c97e7ceed85a50dbd7926fccc5eda0bd775fcec51
AgentTesla
47799b4853ffa2cb541f153f0b50fc335324a5964e04093a8316d4a62eacc8f1
AgentTesla
5c826e35fe48ce5410e9c553242a83e71b2408a57d3256bcd0bd4334412010b0
AgentTesla
8a3dd3eb355760a77c7bd89e2316c7741e37f9b20435a23d144e58ba856bd7c7
AgentTesla
94581916a6f0f8c4c0e9238fb1ec9ee8f44035e750f7a41115e68ebe526e6ee4
AgentTesla
9c5b8535e2ac554768c5cfc3d655a3aed7647fe2280e66161a516296eb5a5918
AgentTesla
d08aead15f73a995edb3859145a359316117d4b82d2c5a0f4a5b599eba28d263
AgentTesla
d21f5fcd18544952bb7012782c68b9ab3f89f1d4ee154564eafc32cce59e1ada
AgentTesla
eb105b408d5010f2bb82c8d5960af3303e96e7fd64d7777263d475c351b6d59c
AgentTesla
+ 1'190 additional samples on MalwareBazaar
Result
Malware family:
masslogger
Create hunting rule
Score:
  10/10
Tags:
family:masslogger coreentity ransomware rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-43kc54wlga/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
rezer0
CoreEntity .NET Packer
MassLogger
MassLogger Main Payload
MassLogger log file
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r01 79690d4fb9d6c28644bb6ffaf431fb985b626ab681c857397e54c05ff221b46d

AgentTesla

Executable exe fbc70395ea55477b8827145c12f85133565b1be20e31f71327ea17d2706127be

(this sample)

  
Dropped by
MD5 82893a5afec0b0ebb54baf8f41e84985
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 79690d4fb9d6c28644bb6ffaf431fb985b626ab681c857397e54c05ff221b46d

Comments