MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 205cd594827a0ed3b674ffb492157d3b99b7dab529ba8da44249b236558f67c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 205cd594827a0ed3b674ffb492157d3b99b7dab529ba8da44249b236558f67c4
SHA3-384 hash: 6b9990f62d8b396dd55b6bebf3ee3462aea47fea9bd2c58e71c61e6e7a687c50432844b67ddf8b1beadd5968fad0170c
SHA1 hash: 48bd7fcad631f244a47396ba8ae8dd009f452607
MD5 hash: b20c00625ba48ebed836810bf8262b72
humanhash: blue-fix-xray-winner
File name:RFQ_SCAN061020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:718'336 bytes
First seen:2020-06-10 15:51:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:fmDf55tGoJsTwWfXDtTtdrqDGxEtfH23Q/sm6/igv68+6wnd5dRBl5NrbS3O1r5:fWf55lsTLtTtpahtf23Ligv68+fe8
Threatray 12'196 similar samples on MalwareBazaar
TLSH 12E4BE8C3210B1CFC46BCDB28D997C30576078BB9257D70B6C5726AD999E3DA8E043E6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: total.tn
Sending IP: 192.227.246.82
From: Wassim BEN LAJNEF <Wassim.BENLAJNEF@total.tn>
Subject: Total Tunisia RFQ
Attachment: RFQ_SCAN061020.r00 (contains "RFQ_SCAN061020.exe")

AgentTesla SMTP exfil server:
mail.asplparts.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.LuheFihaA.14867.22229.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 08:15:41 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ebonlfecpihnhntu762jefl5hom3pwvvfg5i3jccjgzdmvmpm7ca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
162a5aa5e6e0298edbae1a494d2a3e177f0fb42b1c2e35eaecdbe1715d519694
AgentTesla
1d2a780d54c81fa2a4990bce7f008d8a1445ee1a47ea40db306dad6994285845
AgentTesla
2a938146aaf4b99735e88bad458fcd754b82072ee56ebe2a7baa8ee0bf9d3351
AgentTesla
4a5ba37101ef029435b69fe77e8af8924e4714c66a32390f83a5546025f42200
AgentTesla
7193d497b1b85ec895b6d2c976a2d102a1a33d52b029a233d94a12cae12bd6f9
AgentTesla
746a353b71345f9e27dc628cf30df6004370b4c8276c236704cba896debb2b2c
AgentTesla
8a1996e7954954071c7744530ef5a31a93ee9ff5cce447611f622f88718ab1b4
AgentTesla
8bf29373cc2b67e3127fb655434ca8fb204d5189fe94163207a0300af787d060
AgentTesla
d0be07347ce319cbce0fa252c4a030834dafe118c2ea50a6e05951ecf06b20da
AgentTesla
d7626cd481f42298575d733d11397dadd983211978d510c248b872a5e8000c1a
AgentTesla
+ 12'186 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-prd89awjj6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 d44b715fce1e924401dbb7f24b5c3496bd73e503344cddb9e90588986bc5de29

AgentTesla

Executable exe 205cd594827a0ed3b674ffb492157d3b99b7dab529ba8da44249b236558f67c4

(this sample)

  
Dropped by
MD5 cfd3aac2a3ea6222153d10110f081692
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d44b715fce1e924401dbb7f24b5c3496bd73e503344cddb9e90588986bc5de29

Comments