MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14780eb585efbdc339799d90eefcb8b4b613464566f8cb3f1fed2bcb06dcd17f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14780eb585efbdc339799d90eefcb8b4b613464566f8cb3f1fed2bcb06dcd17f
SHA3-384 hash: c8de13a1c689924d3deb2bf4640a6cc6c8f46d8ea2ede9b98224c322b0e057aa84dc38d00bd718cc2f8f84058098e638
SHA1 hash: 356268c526fa8182b89fc6bf71a4e5e382ee6c87
MD5 hash: 604f34919b1cb3c002f78789a183aa1e
humanhash: seventeen-georgia-social-iowa
File name:INVOICE (A21)GH-SC200710F.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:885'760 bytes
First seen:2020-07-11 06:02:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:u1vEPazUJPjhtwHcFCrLnh525nmKKFQ6df9ieLYhJ+SUD8ERNsdEoC:UEPWUFIHcsr7h525mKj6iFhESTgF
Threatray 11'008 similar samples on MalwareBazaar
TLSH DF159C30BEDCAAE8CD3B0DB2E462CC5105E85E276B41EB9719DC5F8B0A553F1909DA43
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: xprt.com
Sending IP: 103.99.1.174
From: Environmental XPRT <newsletters.environmental@xprt.com>
Subject: RE: Introducing the Way-Back Pack; helping the hospitality industry get back on their feet (July 10, 2020)
Attachment: INVOICE A21GH-SC200710F.zip (contains "INVOICE (A21)GH-SC200710F.exe")

AgentTesla SMTP exfil server:
mail.indoreisenslovenia.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/24547/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.51598.2547.25751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14780eb585efbdc339799d90eefcb8b4b613464566f8cb3f1fed2bcb06dcd17f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-10 22:38:51 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cr4a5nmf5664golztwio57fyws3bgrsfm34mwpy75uv4wbw42f7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d0be22c9e96a4cd2a2fa90c77240c8cb74748b38ba9b5ee9891329326a21fcc
AgentTesla
21ae6a2cb858073f8ef1089c949f36fd890f79a9b5f2385f945b1bc7a8a4da76
AgentTesla
4067a43c3518dd21e937615d4d05115eeb11a15691ebb1197222221b5cdf9e9d
AgentTesla
5c0b94de79ed0aecb92dabe4a6904eae55797d7296c40f21ada935ccac38e0c4
AgentTesla
b3706a5ace23149f5ed6327656b49fa37aacf8814569312ac807c580a1b662d0
AgentTesla
cc1d466f94bbd61eb8ef952b8f112d2015cf0b14c72f6f9b47e0ab3d4b368b2f
AgentTesla
d62fea38a73608fc3e8de4f3e16f53051f901fa56e7d3802788ca03fb9e1aa38
AgentTesla
dc67ad0f1d9092eca89d3b0efc15e17b3490f9e90e99c5df611322053ce4c709
AgentTesla
e97eb18eef4a73403afab9ba66d7d67c9fc3dd3017fe44bb2b128d935c112429
AgentTesla
ee4db51c78ef23cb198864dc44402b8b23db4392e31463f6df8991ca2454a47a
AgentTesla
+ 10'998 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/200711-98vx7pt3sj/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Adds Run entry to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 232807fa01c645961ac01e03d49917de090bb32e152bf71d11d782088689e566

AgentTesla

Executable exe 14780eb585efbdc339799d90eefcb8b4b613464566f8cb3f1fed2bcb06dcd17f

(this sample)

  
Dropped by
MD5 431dcadc3e5b574650cc8651f0392a3b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 232807fa01c645961ac01e03d49917de090bb32e152bf71d11d782088689e566
Cape
Cape
https://www.capesandbox.com/analysis/24547/

Comments