MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 77cae929decac2069a213256e01ab18f1ccae29a3fee73fb501991b419507e42. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 77cae929decac2069a213256e01ab18f1ccae29a3fee73fb501991b419507e42
SHA3-384 hash: 071007c7b1b324a42d70152ff9f4dbe153edc2d3f5dfcce4fc311f40524d97ed3bb1194a344f8bdbb64ff90e82dbfac0
SHA1 hash: c3526cf03f2df8cdccc1707297077cfbec3e4bbc
MD5 hash: b0c215630c1ed900a1d2e6aedd97cbbb
humanhash: pasta-bulldog-winter-bluebird
File name:PO_CONSUMMABLES_8899_1129_9928_9090.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:839'168 bytes
First seen:2020-07-08 07:09:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:laXAU+xBGmhys2qujwVBXcjslhtWEslhtWWD:iAU+emhyDi/sWhtWphtWa
Threatray 11'124 similar samples on MalwareBazaar
TLSH D805BD3B2766BE8FC63A0DF5909A01104FF918D37249D3F8ADC754FA88D5B848F56262
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.macartajans.com
Sending IP: 89.252.130.69
From: Cristian Rodrigo Valdebenito Riffo <cvaldebenito@csh.cl>
Subject: Purchase Order_Consummables
Attachment: PO_CONSUMMABLES_8899_1129_9928_9090PDF.IMG (contains "PO_CONSUMMABLES_8899_1129_9928_9090.exe")

AgentTesla SMTP exfil server:
smtp.knmbz.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/22914/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/384510
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/77cae929decac2069a213256e01ab18f1ccae29a3fee73fb501991b419507e42/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 03:08:49 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=o7fosko6zlbangrbgjloagvrr4omvyu2h7xhh62qdgi3igkqpzba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0874b3168d4582178f30aac5d4e86a935228aa76e68754692539105c51059467
AgentTesla
1d2b14679a8794ddfca09b38774d9b8f432955eb2d6a14cc45c79b009d5077f8
AgentTesla
2e5c6ecfef94f9922f152344b96041b85bf2dc01136e921e2d8c644d903b708d
AgentTesla
365759dd03965a10bfb50c17454055b0272a0cf33b78aa78441ab6cc996e1090
AgentTesla
79d97d58dbb9845b2101ad4a03a987b9fc8e937e43b4b9f5bfe3a47f71a6f113
AgentTesla
8100e4e4aec4f7f9ca98d640d2c68bfd47f4f7538c041f33157faf8e924d0a74
AgentTesla
8759dde700d0ea47fd29cad02f5d067431b7af49edbb7b409e5c25a22485ed3c
AgentTesla
afdef065db92bacabeb6a8b638ff1adcded1a0f578c36ac89128d13cdf701234
AgentTesla
ba988eeaeef4b7e706308c40094dd0fe2146918e0386565cc2a14243e3f0aa69
AgentTesla
f1634e4db9eba49ff284640fdb8348e96a95267d1759346f078d9144f97f8aff
AgentTesla
+ 11'114 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200708-3hhhlksytx/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 1f485ecf0bf6a6f3a128e0730f9d7f6bbe5c3a3d8f973fcf958b881cc2cffff0

AgentTesla

Executable exe 77cae929decac2069a213256e01ab18f1ccae29a3fee73fb501991b419507e42

(this sample)

  
Dropped by
MD5 5efb31a29d32b306dfb089a6690ba18c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1f485ecf0bf6a6f3a128e0730f9d7f6bbe5c3a3d8f973fcf958b881cc2cffff0
Cape
Cape
https://www.capesandbox.com/analysis/22914/

Comments