MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7517268fa9a5918285b964fc4c23e7b012e08a6ce0ccd6ae9b4e12b6f7a66b93. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7517268fa9a5918285b964fc4c23e7b012e08a6ce0ccd6ae9b4e12b6f7a66b93
SHA3-384 hash: 7656578d2ab0b22d8707aa6e65b16e7a92b2d072ff9fcb6ae98552c569c4fff13f4c49782b3f780bf2054a448be5ef0c
SHA1 hash: ab9d20984e6a2139e4d1d8cb182a3831ab4fb462
MD5 hash: d9ae7aed350687b335d0c62be75add06
humanhash: steak-nineteen-equal-table
File name:AWB DHL 6357297368..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:529'408 bytes
First seen:2020-07-01 11:12:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:+O2ymWg40euI73BzXfZv9aIy4Jw/qZSVn:aW/0sjBjd9a6+RR
Threatray 10'660 similar samples on MalwareBazaar
TLSH 95B4AEC071B68B96EAB657F74A32980047F6B8BE253EC3594DC660DF81A1F500FA5B13
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dhl.com
Sending IP: 103.99.1.149
From: Nathaniel Johnston<nathaniel.johnston@dhl.com>
Subject: RE:AWB DHL 6357297368
Attachment: AWB DHL 6357297368..zip (contains "AWB DHL 6357297368..exe")

AgentTesla SMTP exfil server:
mail.pptoursperu.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18205/
Detection(s):
SecuriteInfo.com.ArtemisD9AE7AED3506.6542.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7517268fa9a5918285b964fc4c23e7b012e08a6ce0ccd6ae9b4e12b6f7a66b93/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-07-01 11:14:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=oulsnd5juwiyfbnzmt6eyi7hwajobctm4dgnnlu3jyjln55gnojq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
112119f35421deb465459bd5fd6a83b717ed74986317643c2d92364cbbd78da3
AgentTesla
17a6854b9d7de26d3c70352b1a5fe59aeb25abd75c57902950278569bac64f78
AgentTesla
25fc942b81a074fe6b40b2f817fb87d28a54949bf604e54c414c890a351b83e4
AgentTesla
2791e882cf9c19fd8485165584afdccbeac1b7a5ae1781588ea02b7e5f856602
AgentTesla
379932a035b022f75183de013c25c88433271bc39d656a42c0e87090dbfdbf72
AgentTesla
7cda8a0d2ad7c34b3c8577a5edcd91ffd9c270233b85054922d83f2a040b560b
AgentTesla
b823ab3333cbfa29218063de8440da29fc50aa7db3e70bbc9bf586c2f1eff696
AgentTesla
bda58e31e45ea822d7b59a1cc4421de12393f9f955a0ba51837040e9ed8547ca
AgentTesla
c594bafa6dcbf802c725eae57c20da6f474f0820d0a1e6ab2368e1402be669ae
AgentTesla
d323ad1ca431acbe0b5e81ca108a0535591a33e7587b144f4354a269f0e1837d
AgentTesla
+ 10'650 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200701-ht6qnj3hg2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

977aa3fcdf31872b779d1e73ea4326ce

AgentTesla

Executable exe 7517268fa9a5918285b964fc4c23e7b012e08a6ce0ccd6ae9b4e12b6f7a66b93

(this sample)

  
Dropped by
MD5 977aa3fcdf31872b779d1e73ea4326ce
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/18205/

Comments