MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1ff82c607bc0fa4e4effc066ef05e092760f38c35a2426d9c44c64b85d60d53e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1ff82c607bc0fa4e4effc066ef05e092760f38c35a2426d9c44c64b85d60d53e
SHA3-384 hash: 8e6350e0a27b9598197eda29b86d52e076fac95d10dfc7d85a62c806eeee708f40c6b81d2399f9a085d8752791ca20d5
SHA1 hash: 0814a134aff6333245a7d26f127c20d87476d45f
MD5 hash: 1bbb436c32d49a35d254c2b01a76e9e4
humanhash: one-mobile-alaska-mango
File name:nKeYpjZjYiPtCBn.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:565'760 bytes
First seen:2020-07-07 06:28:22 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:4tu+ldUWV/HuE5TijTEOEDBmJdqPn3VkoQ1954ND:6JlPi3TEsJsP3xQ75qD
Threatray 10'660 similar samples on MalwareBazaar
TLSH B7C401B3064BBEDEF32D4E74D25435501DE90C2BAA70CD09BDC935CA12B3B446AB8A75
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: wilhelmsen.com
Sending IP: 88.218.16.246
From: Asghar.Saeed@wilhelmsen.com
Subject: MV Blue Alexandra - Discharge - 27,500.00 MT WHEAT - 30,000 MT CORN - Agency Appointment
Attachment: MV BLUE ALEXANDRA 1.xlsm

AgentTesla payload URL:
http://198.12.66.109/nKeYpjZjYiPtCBn.exe

AgentTesla SMTP exfil server:
mail.qatarpharmas.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21863/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1ff82c607bc0fa4e4effc066ef05e092760f38c35a2426d9c44c64b85d60d53e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 17:11:54 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d74cyyd3yd5e4tx7ybto6bpasj3a6ogdliscnwoejrslqxla2u7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
132451f148452e78cb2252e7725a1fb5eb2eacc6ba5687185730c1f8cc0c1236
AgentTesla
475691d68e7948e33cb6c7d39f01d8b9ed13b7a6e705dd69247bd71379702a4a
AgentTesla
5a7d9f30e6fb3c3547e6eb91cd5252e7f516a983b1a8dd49fafd4c5d1584baa5
AgentTesla
677cd89b052993db94346f82c1a00e3d022621ab71cd8101e41645d6f0a9933d
AgentTesla
74ab856c2d5235f78fa546a5086abab294bebfa2ae9550345e272f6a645f6d80
AgentTesla
7aaae6c45ee6feb80b03a8fc68cde52b3f7449bd4a69e1aabebbb2a34025e9ba
AgentTesla
93733dd76500923f42cee221d049812d0462fc3f5f34928abc33a8a3697af7df
AgentTesla
a011199cb8b7164445d166285b1b0ebc6df462f34de7ab41856a52f4f3465fbf
AgentTesla
caf1d4f374de0479bc4ca6caa289cfc35720779080a2957aab92ba4fc1602e6c
AgentTesla
d710447b99c5d26cac4643f971557e7d1b792010942ec3a4fc43ada5c02317da
AgentTesla
+ 10'650 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-w2emdnph62/
Behaviour
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm 714157567cc5e595a41ba9faccd4df66a682e9c6f1f939f2f1cdf85d5642aeea

AgentTesla

Executable exe 1ff82c607bc0fa4e4effc066ef05e092760f38c35a2426d9c44c64b85d60d53e

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/408563/
  
Dropped by
MD5 21d693611049004afca05b813a0fb485
  
Dropped by
SHA256 714157567cc5e595a41ba9faccd4df66a682e9c6f1f939f2f1cdf85d5642aeea
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21863/

Comments