MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 49e632e838ac0139428e5642877ed012359df09fbe438637be2de99dcb68d73d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 49e632e838ac0139428e5642877ed012359df09fbe438637be2de99dcb68d73d
SHA3-384 hash: dc115f60eb4be4c7a8d9b68c0571692ded7d412c2ff9f816df909a7fd963b0917161d4c8cd678df149f7b4f379f61d31
SHA1 hash: 63edcef87e9ba2e6b147e3b702a0ae99d1bdaa60
MD5 hash: 08472122202e6ab65ab45d82f9fa0c30
humanhash: tango-twenty-minnesota-pennsylvania
File name:Remittance advice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:722'432 bytes
First seen:2020-07-22 09:18:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:O6AiYDhN9jGx2iNxFLN7nN+WgAJ9d5JvxV5PNO0M:YV9NNGx1PFLN7nN53J9nVRPN
Threatray 10'608 similar samples on MalwareBazaar
TLSH AAE45C2D3E41A829C53D097A44DA5AD077B0A6877B11C70F2ADA177C9F532EF3F0618A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outlook.com
Sending IP: 103.99.1.149
From: Katherine knof <admin@niatec.com.co>
Reply-To: seaninvestments1@outlook.com
Subject: Remittance Advice - Account No. 334030
Attachment: Remittance advice.zip (contains "Remittance advice.exe")

AgentTesla SMTP exfil server:
smtp.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31009/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WZA.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file in the %AppData% directory
Creating a process from a recently created file
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394822
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 249815 Sample: Remittance advice.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected AgentTesla 2->40 42 2 other signatures 2->42 7 Remittance advice.exe 7 2->7         started        10 pcalua.exe 1 2->10         started        12 pcalua.exe 1 1 2->12         started        process3 file4 28 C:\Users\user\AppData\...\jghdfgdsdgf.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\InstallUtil.exe, PE32 7->30 dropped 32 C:\Users\...\jghdfgdsdgf.exe:Zone.Identifier, ASCII 7->32 dropped 34 C:\Users\user\...\Remittance advice.exe.log, ASCII 7->34 dropped 14 jghdfgdsdgf.exe 2 7->14         started        17 cmd.exe 1 7->17         started        19 jghdfgdsdgf.exe 3 10->19         started        process5 signatures6 46 Writes to foreign memory regions 14->46 48 Allocates memory in foreign processes 14->48 50 Injects a PE file into a foreign processes 14->50 21 InstallUtil.exe 2 14->21         started        23 reg.exe 1 1 17->23         started        26 conhost.exe 17->26         started        52 Antivirus detection for dropped file 19->52 54 Multi AV Scanner detection for dropped file 19->54 process7 signatures8 44 Creates an autostart registry key pointing to binary in C:\Windows 23->44
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/49e632e838ac0139428e5642877ed012359df09fbe438637be2de99dcb68d73d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 09:20:11 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jhtdf2byvqatsquokzbio7wqci2z34e7xzbymn56fxuz3s3i246q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19a180b5e3696a27292810125957efca24a09e7743d951e5386bd69daaca8dfe
AgentTesla
19bc9feb4b0530d0858d726c4381c431cf0e627781f88f2a6b1401671d4745e4
AgentTesla
2c6aa8d5fd233661b6d8c0130af1a0c63539aae4c05fb03d74859ebeec3b7cc6
AgentTesla
31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931
AgentTesla
4843c3600fa75fd8e78f04641b3fc363a3ae5e453ecd72a1e7b8b6c25408e376
AgentTesla
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
743cd5b161539860d7779adcc10b393ebb812c8c201b98c974b43ff1f404c34d
AgentTesla
d49937e0591260a3ac4786590742570bbdf561425889822c1ee564a2b8fff67b
AgentTesla
f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4
AgentTesla
+ 10'598 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200722-q3f8lbswpe/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Loads dropped DLL
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/49e632e838ac0139428e5642877ed012359df09fbe438637be2de99dcb68d73d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7f9b8701049273da231a5bb1db9719c6d027486cdf00e423026760eef84156eb

AgentTesla

Executable exe 49e632e838ac0139428e5642877ed012359df09fbe438637be2de99dcb68d73d

(this sample)

  
Dropped by
MD5 e706b5202a0b2be50b434f3b9216475d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/31009/
  
Dropped by
SHA256 7f9b8701049273da231a5bb1db9719c6d027486cdf00e423026760eef84156eb

Comments