MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4988b00c252410f05a2bd1d8202739be301c54e4bbac08c4ddbb704a8d660e8d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 4988b00c252410f05a2bd1d8202739be301c54e4bbac08c4ddbb704a8d660e8d
SHA3-384 hash: 3ae8ee8574b77196bc9f33a68a99a9d7dc50e0f17ca99b3b9023b2b7e8fc5f53b546bc21ca740a261a6d0aeca8774fcf
SHA1 hash: b0b84a3f8afac504d74f75af0d252d30ce7bacdf
MD5 hash: e9204b04d38a5e0f5fcce7a195e88fe7
humanhash: nineteen-wisconsin-five-don
File name:RFQ_6000042792.PDF.exe
Download: download sample
Signature AgentTesla
File size:445'952 bytes
First seen:2020-06-24 13:21:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:lYhDhdqseMX8n7w00x0U6f5nRAN8bzgDrvl5MXhhJ/iFrtiYKMTkXHs0fzMWyM56:mh0MX8nQqU6Rbborvl5MXCxLMVWax6
TLSH CB94F14B37ACB523C8BD06FA58D11F8823B15EAA7582F6D99CC071D228D37E548517CB
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: cun23.com
Sending IP: 45.127.62.112
From: Zhenzhen Guo <anderson@mendenhall.ml>
Subject: The Quotation for RFQ number 6000042792 / PR # 0040014220 (June 26, 2020)
Attachment: RFQ_6000042792.PDF.rar (contains "RFQ_6000042792.PDF.exe")

AgentTesla SMTP exfil server:
smtp.portsen.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
44
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a custom TCP request
Creating a window
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-06-24 13:23:04 UTC
AV detection:
36 of 48 (75.00%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 4988b00c252410f05a2bd1d8202739be301c54e4bbac08c4ddbb704a8d660e8d

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments