MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02c371d0cde6f6765fbdc7d19fd8c17fdd62da0cc26f2b3955f645f857f0bafe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02c371d0cde6f6765fbdc7d19fd8c17fdd62da0cc26f2b3955f645f857f0bafe
SHA3-384 hash: ad31f3eae997d6c52d1a66f041e963039cee3f3381cdaadd6c455c79622541b666d11623d3d203f48955338e35875f87
SHA1 hash: fa1dc6ccc0972b1a687911f86bc0d2eab839cea2
MD5 hash: 0cdb7e1c07c68ba001831e3e301c4ecf
humanhash: snake-august-summer-yellow
File name:QOUTATION OF THE MONTH_PDF.SCR
Download: download sample
Signature AgentTesla
Create hunting rule
File size:389'632 bytes
First seen:2020-07-02 09:27:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:6hTOch060UDMZq/Is7pfijgFyixZX/hVx2astLUY/YZipgelrGIaSUXkJtKY+zTp:6hCcvHDM4/Is7p6jG7nJ78LUY/YEp1Y0
Threatray 10'915 similar samples on MalwareBazaar
TLSH 6E84E020ABEC6664EDFB4A79AAB969501B3FB9902535E71C405C709D0FF3B004521B7F
Reporter abuse_ch
Tags:AgentTesla scr


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: florstore.co.za
Sending IP: 209.58.149.66
From: Info <samantha@florstore.co.za>
Subject: Quotation of the month
Attachment: QOUTATION OF THE MONTH_PDF.cab (contains "QOUTATION OF THE MONTH_PDF.SCR")

AgentTesla SMTP exfil server:
mail.badamli.az:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18412/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WQV.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/02c371d0cde6f6765fbdc7d19fd8c17fdd62da0cc26f2b3955f645f857f0bafe/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 09:29:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=albxdugn433hmx55y7iz7wgbp7owfwqmyjxswokv6zc7qv7qxl7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
094a94a9a5ee71992fe8e9ad8195055ee45b9f0419912f8f26096a741bc0c434
AgentTesla
0f5ecce70b0cf50e4306b1280d58a9f400a6e54bef753029b7d48aabb8db785a
AgentTesla
2522fc0ce2abffd595456b71ae2c01d8dfb4fa3597d2e0d2aba38d1ff3ee42d7
AgentTesla
310cda4734ff6074a97bb0e7cd6c5ebe6aaaec58408650752b73dbae53a5e396
AgentTesla
350f76a14a11bfe8d35f65d21204d6f3b58f5b8b3e80946fe664c2ec28ed5964
AgentTesla
39ae9bb45b4f178ecade689b35dba1ed79d686199997202995946a64f0317890
AgentTesla
b3770ed7e40082d700739a98f8be9a3a338be55580942c0baddc5f03e03e5a63
AgentTesla
bcfe28b074cc1d9b0fb7896ee3eb4d28c240bee33cb76578f0f9f1ef90ab92e6
AgentTesla
e23a268f1e3c63c4b2460a42e219a7237744ddaad6d9bf383977c85d9921843d
AgentTesla
f8166c3c857a7a3ba99515cf6ae242a78050fba7608e24a88e2559e0063a187a
AgentTesla
+ 10'905 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200702-d24whyfsja/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Malware family:
AgentTesla.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/02c371d0cde6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 34054f2376541f7967d668ed6fd382b641ae4ef02a9f8feda766d8c86bdd208d

AgentTesla

Executable exe 02c371d0cde6f6765fbdc7d19fd8c17fdd62da0cc26f2b3955f645f857f0bafe

(this sample)

  
Dropped by
MD5 02e14bf9c655b17c2b282dffefc51941
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 34054f2376541f7967d668ed6fd382b641ae4ef02a9f8feda766d8c86bdd208d
Cape
Cape
https://www.capesandbox.com/analysis/18412/

Comments