MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb
SHA3-384 hash: 5fccd60083bf576b18cb9068eb3385140451a9549865e00b3570d4ab67f1c83de77a42f0847653015879086f07f4adcd
SHA1 hash: c1cc249f570bf0247d6113b5ecb2baeb5a4b641f
MD5 hash: 4f95864e11669a1aa74b6efe3b47b50b
humanhash: west-oranges-maryland-massachusetts
File name:TMP-376000.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:711'680 bytes
First seen:2020-07-22 07:44:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:mK76A9jUTkxdrr2GhN4s38lIrlBCAlhWUcHHa4U2Uj+Nw0a5W5qA7+ZiQL2W38:CAiYzr2iN4swIrlBCayHi6oA+ZH2
Threatray 10'860 similar samples on MalwareBazaar
TLSH 1AE45C2D3A469404C53D0A7748E5AAE267B1A5873E01CB0F69C61BBC9F077DF3E0625E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: serve0.lumoss23.pw
Sending IP: 104.168.164.93
From: Mookarin Thaweephot <lr@lumoss23.pw>
Subject: Re: PO NO.TMP-376 & 377
Attachment: TMP-376000.7z (contains "TMP-376000.exe")

AgentTesla SMTP exfil server:
mail.crediseexports.com:587

AgentTesla SMTP exfil email address:
usmilitarydefense@pentagon-dc.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 07:46:09 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=glwjfnlss52jvzhezrrjsv4tkxtxk47734frexi7mxv4yyvz7p5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
267a57ec138313289b2e4fae9a87f2f8b38706e9acb379905239e140bad0e24d
AgentTesla
2c8da0da6cbab2366291deabbb773bec304a9e49c87982a04d6ee33c712cd642
AgentTesla
54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9
AgentTesla
68c326087c2ed640e74b243ecfad7be9fc4e2694f80991a5337e8f91fdf4efc7
AgentTesla
6fadee8038751819aef12bc1abc18e17efbc53a8cdfb977dc5cde08e5d0c1552
AgentTesla
757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371
AgentTesla
9abbf24b322068da5ac2e1581827d788d787eb8b31685863b1aa048f01ca5190
AgentTesla
a34c112bf95fe938efd100c5a3a2653153a69f7dc8dcc00876087b8d0e56e285
AgentTesla
d3dc0fad4580b2c3d0f5bfe27fd99d66b20f2a2c65c219218f9e6628a9df5d2b
AgentTesla
d8ea753d78e0843edb882a8bf78b49996d2fb7c68eabd99b660c9070aaa800f6
AgentTesla
+ 10'850 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-s8trb5h9za/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 844d5ae62357e86697a5cc5541ad8d1862b62dd9701855e916e1235005336bf0

AgentTesla

Executable exe 32ec92b57297749ae4e4cc6299579355e77573ffdf0b125d1f65ebcc62b9fbfb

(this sample)

  
Dropped by
MD5 b817248a9b13e3ea3e600692a832a263
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 844d5ae62357e86697a5cc5541ad8d1862b62dd9701855e916e1235005336bf0
Cape
Cape
https://www.capesandbox.com/analysis/30893/

Comments