MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 678b9fd48c80a3dd4db9ecee8a22ef3d4ef4ce32a2f5778c5ee6d6f15758c8b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 678b9fd48c80a3dd4db9ecee8a22ef3d4ef4ce32a2f5778c5ee6d6f15758c8b1
SHA3-384 hash: c4e3861901578ec1ea27085e506c8c04a35d08a8069afa9115ba0c5bd07344fffa93e0f6839616e6ffee432aa7f29bbc
SHA1 hash: a1ae10625fe93b24e894955a17704a8638e7c2d3
MD5 hash: 904acb49cf4263df345a8449704a2a6c
humanhash: stream-mirror-vegan-utah
File name:INVOICE_IMAGES.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:286'208 bytes
First seen:2020-07-02 12:32:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 3072:1A2SCusjrY28+zU6KULkb9r5AyUvBe6uLKgWaUwJ0zMIs1ANa2tRwMTKLs9ksjKa:lKUrYPJ3rWyU46uLKAj0zM4NqMT0s53
Threatray 10'742 similar samples on MalwareBazaar
TLSH D454196D2B88B902F63D5D3749D1226057F1D0835E12CB4F6FC41EFDAA537CA294A3A2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.example.com
Sending IP: 103.147.184.169
From: KOREA COUPLING CO., LTD <sales@koreacoupling.co.kr>
Subject: FWD:Important Notification:SHIPPING DOC BL,SI,INV#462345 // MAERSK
Attachment: SI,, packing list_images.rar (contains "INVOICE_IMAGES.exe")

AgentTesla SMTP exfil server:
smtp.office365.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18461/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/678b9fd48c80a3dd4db9ecee8a22ef3d4ef4ce32a2f5778c5ee6d6f15758c8b1/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 12:34:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m6fz7vemqcr52tnz5txiuixphvhpjtrsul2xpdc643lpcv2yzcyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04803c612483d76474860d5942b69d5ee3a68987a258b76283d60b345c188c62
AgentTesla
55e93e43efaeb600deafd813f7eef356e836904b0d83e545dc47b3ed0078316b
AgentTesla
6c23d5aac98c05cf9faca072f1875f7fcde253a4a782dda7d897681bda6f92d9
AgentTesla
7b668bf6740289b2750a497800467fcf725fb111071e3ea4e74153e5159a3aef
AgentTesla
7b888494d9279f87b3b2a69e11fa5a68efa06bc86522d02764382da220396861
AgentTesla
87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93
AgentTesla
e632088f3b6717d23c6053d3b3e917a71684475d2a23876b34c3fca2dc7424d1
AgentTesla
efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb
AgentTesla
+ 10'732 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200702-8ss2klfwbs/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2c0fff27b47ebe46df4e06ffddd0eea73210599a41a04c02680c819f9a301c3d

AgentTesla

Executable exe 678b9fd48c80a3dd4db9ecee8a22ef3d4ef4ce32a2f5778c5ee6d6f15758c8b1

(this sample)

  
Dropped by
MD5 d50b03270d49e1ba2fb2e3e6ca95b739
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2c0fff27b47ebe46df4e06ffddd0eea73210599a41a04c02680c819f9a301c3d
Cape
Cape
https://www.capesandbox.com/analysis/18461/

Comments