MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48cf95888259138c1d0b910da9c79083f16977df3d32a1708e3a4bd1c9015f5f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48cf95888259138c1d0b910da9c79083f16977df3d32a1708e3a4bd1c9015f5f
SHA3-384 hash: fd04782cd33302fad1f72718c9956c5f670940aaadd916f0c9828c10e8b6d4386bb3f69f825a41f53bbb1cd54243fa1e
SHA1 hash: d98ef340084a6e467814e798fec4974fe6745d4a
MD5 hash: dc00823f9bbcf8dbe35edaa2bbe76cf7
humanhash: thirteen-winter-video-undress
File name:MV YICHUNpdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:548'352 bytes
First seen:2020-06-25 13:24:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'616 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:+sO9OkDNCn29zbX5Vr2hhscEOYxSjRHBNP2LbLicVU+w:+sO9OkRCnUhV+lED+h1qbLi
Threatray 10'610 similar samples on MalwareBazaar
TLSH 75C4F1141258AF6AD57D8B79D0B10050C3F8D103722BFB9A5EC1B4ED2EE33B1950A7A7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host.iteamweb.com
Sending IP: 209.59.138.164
From: Cindy Hong <cindy1@ecoray.kr>
Subject: FW: REQUEST LIST - MV YICHUN - ECORAY-2020-93210
Attachment: MV YICHUN.pdf.arj (contains "MV YICHUNpdf.exe")

AgentTesla SMTP exfil server:
secure231.servconfig.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14333/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.44022.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Launching the process to change network settings
Enabling autorun with Startup directory
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/48cf95888259138c1d0b910da9c79083f16977df3d32a1708e3a4bd1c9015f5f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 08:11:48 UTC
AV detection:
25 of 31 (80.65%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdhzlceclejyyhilseg2tr4qqpyws567huzkc4eohjf5dsibl5pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0af6c2d9e45eabe884f19d0555f8cc96efbf69151d8729f3c0d0c5eeb952771d
AgentTesla
490ed173b3c4ca1a65441a874c4772c86c77ae0673c7eaa88248201714226a85
AgentTesla
4924046e9d0bda3e72066725e698cf3497c5b2f980f036ba2c70f833c461acad
AgentTesla
6a0bec0cb8ec169bef2d1f80a5a981d09d99b0404ba79057c2870bceef6b5db9
AgentTesla
7a74c2a23d62f4b0fe825cad7a0d2ab928bf17365ad8dd1eaea28ab81f7f8e10
AgentTesla
80558cc98cf7a71f98ccf99cd82908083417a258f3b8fc2084bf8afa529a9a4c
AgentTesla
8ea205201efe717369a4d825e2244c3f119610329d2413286f923fc737bcef10
AgentTesla
91b0b26682dd9be054ce4fd2eefebc1d10157ea0f08c29d3bee695453b8d7ca6
AgentTesla
bfecf1d24ef83e7bc35143c6ef0cc09a0a77902e2fd6ef9f5d5a50d0968c088b
AgentTesla
d40dc76cf166b3c5f95229359dfb205460c69ea054eba50c3a00b04efad88999
AgentTesla
+ 10'600 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware persistence keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200625-5s6qhma2rj/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Modifies service
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 3297357c78bb7b8774d47a22b2fa7ef7e397e3e81f1c79ea183a1368747cea10

AgentTesla

Executable exe 48cf95888259138c1d0b910da9c79083f16977df3d32a1708e3a4bd1c9015f5f

(this sample)

  
Dropped by
MD5 9559cd42c801107f0853ec3185a070e9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 3297357c78bb7b8774d47a22b2fa7ef7e397e3e81f1c79ea183a1368747cea10
Cape
Cape
https://www.capesandbox.com/analysis/14333/

Comments