MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0edd45b70fa551b13b37faf2146011fbdb3299e69f20bedb7e48c1710d3a0159. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0edd45b70fa551b13b37faf2146011fbdb3299e69f20bedb7e48c1710d3a0159
SHA3-384 hash: 69760c683e49624f69ec00ba851ced01cea10f150605bca8b8758c2c0a0752f25d06fdd9ce142c826811650575f62a5b
SHA1 hash: 6e298ffed5d341066b433cf1691e09757cfd1605
MD5 hash: 5a98737847e4d34062ee01bedea69962
humanhash: johnny-nevada-four-utah
File name:COMMERCIAL QUOTATION THRUST BORING AND PIPELINE INSTALLATION BID 2000520769.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:407'040 bytes
First seen:2020-05-09 17:50:01 UTC
Last seen:2020-05-09 18:51:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:6+3/j+T86aYWf8KYq/Q9B+ItGVr3M9waZgbCZCA7JMLwUaJugdmlFbL39:6+KT86aVf8loVrcdZzMg6L3
Threatray 26 similar samples on MalwareBazaar
TLSH AA84F113FF58E632CE5B07BF0031266C4B6D87DA0B12EB599ED1688509A332C9651B7F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: centos-s-1vcpu-2gb-fra1-01.local
Sending IP: 165.22.27.150
From: Benoy Vattappilly <benoy.vattappilly@saipem.com>
Reply-To: Benoy Vattappilly <mog_b@mail.ru>
Subject: REQUEST FOR TECHNICAL / UNPRICED COMMERCIAL & COMMERCIAL (ENCRYPTED) QUOTATION - PR 11657509 THRUST BORING AND PIPELINE INSTALLATIO
Attachment: COMMERCIAL QUOTATION REQUEST THRUST BORING AND PIPELINE INSTALLATION BID 2000520769.zip (contains "COMMERCIAL QUOTATION THRUST BORING AND PIPELINE INSTALLATION BID 2000520769.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.GenKryptik.EKGZ.10185.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Genkryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-09 18:35:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b3oulnypuvi3cozx7lzbiyar7pntfgpgt4ql5w36jdaxcdj2afmq._file
Verdict:
unknown
Similar samples:
442452b82edb2b18431c296669c78df1c88b210775e9a9b5d7726a1092a8fc6f
AgentTesla
6575a80b5fa70f2b72b0c5270e4bf316efbdda166b73267a783ebe8a56f3cd1e
AgentTesla
6ff25388a91cbed0a11467e592e39e34c54de49d61876a2a201554e67c5b8cb4
AgentTesla
8224d188f60fa7c7b60249b82cd7d94336542a8a21a57c9adcb00530e068f818
AgentTesla
cbb6d89187847aab1fcff6b5d832ea80bca30bfe5520702133cab83335392ead
AgentTesla
d73498e0aabb97375783af491aded66aa6710ba848247de3337f404fa02a35c0
AgentTesla
e43ee2ab62f9dbeb6c3c43c91778308b450f5192c0abb0242bfddb8a65ab883a
AgentTesla
ec639f932f7e3c075d735973cd493fe7a895bf660b4aff4fc4c97af08baf64b8
AgentTesla
fdafb44be84ea918c76a99f4c24c08fbe8de6648a4ad73614f77450aa2b43484
AgentTesla
ff5a506b69008ad7cc902dd5ca6b0fe6c2235e532b9b2421bf4b86dd2b13462b
AgentTesla
+ 16 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-49rq56pe4n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 9f04e5c0344fb00eff3c1232208afd19ad423ed772f251b5e553bbd80f1eddee

AgentTesla

Executable exe 0edd45b70fa551b13b37faf2146011fbdb3299e69f20bedb7e48c1710d3a0159

(this sample)

  
Dropped by
MD5 e3d661ac6402fcb3fda6a3918308a51b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9f04e5c0344fb00eff3c1232208afd19ad423ed772f251b5e553bbd80f1eddee

Comments