MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 717cc1c1cd1788a45027d549ae018a57f72e8f5f7586be633055c2400440b489. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 717cc1c1cd1788a45027d549ae018a57f72e8f5f7586be633055c2400440b489
SHA3-384 hash: 39eac341e741b2e663f39e57384d399f9339829f9de6a942ec0976e9bf82273d013c3acfb24e7e1303917149a8cec8ce
SHA1 hash: e030714e67ddeff23860be582553807d15c7f1e2
MD5 hash: 5678efb48a28b255830a91e260c2504e
humanhash: xray-network-coffee-north
File name:scan00001543
Download: download sample
Signature AgentTesla
Create hunting rule
File size:407'552 bytes
First seen:2020-05-27 08:08:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:ZG7+n1e14yvwvJgI4ixHKEjy63q6Nmv876v8TA:0SAwvJ5Hzjy63q6
Threatray 139 similar samples on MalwareBazaar
TLSH 2E84AEAC725476DFC86BC4B69AA42C61ABA034B7530BD247991311EE9E0DAD7CF140F3
Reporter abuse_ch
Tags:AgentTesla scan00001543


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smarthost1.gohsphere.com
Sending IP: 199.127.218.11
From: Ruel T. Botones <ruel.botones@bollore.com>
Subject: Please submit your Invoice - Urgent
Attachment: scan00001543.rar (contains "scan00001543")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis5678EFB48A28.7993.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Frs
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 09:06:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 31 (74.19%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0b0843fec59e2e7c90b04d88f9d90f7e6a3c8e7511a601d20ba588a52380781b
AgentTesla
177b73c79389109f104de7e18a98b666fac019dae540695eff90bc1093f3db3d
AgentTesla
3853c83c0df51ab8dc2d06d29efc8ca581044dbbcfe4c7c4d05fcc0ab62e22a8
AgentTesla
538a207974969d50055870c016eb819c2a71a1388db863bf025ea5bc2144b00b
AgentTesla
939fdc62cfcefb4deae6e71b84abe160c14fc6b41c787064479f607b1d5bacca
AgentTesla
a66accde52c8f24dbd3d705a4babfee4015f547dc6f7a608cb6d37dd2930fccd
AgentTesla
c51d3c8be3936b476ac729e5ddc15eb4dcd5dea18dbcf8200f0767b33ab0b076
AgentTesla
ee6195ec1370d529ba036d6ce5f7ca391822519455a57817e1576ac8a45b8b8d
AgentTesla
f70e37d9c9380b978df1ccb8a67f644bb7d90174c420ff4b90beb61edb9e5f99
AgentTesla
f86be0fe01d3a3fae24c8bf92bb289ec52dd7f6a9461b9ce95f062d162f124c0
AgentTesla
+ 129 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:m00nd3v_logger coreentity rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-gheba3cqbe/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
rezer0
CoreEntity .NET Packer
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_NK_BabyShark_KimJoingRAT_Apr19_1
Create hunting rule
Author:Florian Roth
Description:Detects BabyShark KimJongRAT
Reference:https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1982cd28239c9b7882794b27b48099bc9f6706df2e47d3916dfc4e811a2b08d6

AgentTesla

Executable exe 717cc1c1cd1788a45027d549ae018a57f72e8f5f7586be633055c2400440b489

(this sample)

  
Dropped by
MD5 45de4eea91072f0c655b66b94f8b3ad9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1982cd28239c9b7882794b27b48099bc9f6706df2e47d3916dfc4e811a2b08d6

Comments