MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7dfe0b47bb69bb9fb2972e346d3699ab7a0a983e8e70e4cf3bd300d1844d2fe1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 3


Intelligence 3 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7dfe0b47bb69bb9fb2972e346d3699ab7a0a983e8e70e4cf3bd300d1844d2fe1
SHA3-384 hash: 9a12c586e5941ded4c4c7204d8ef6c9be79d45bb0b3e405afb9fe6a6fa53063b39457c3d9f94cf7918fbab5d01306498
SHA1 hash: 2e1dfca56038f2a82de29f5b66e51cc58d5e4ee2
MD5 hash: c0b36f3e31d30d542c16f77f7a4bfcde
humanhash: echo-green-alaska-emma
File name:FACTURA 1-220348 Fecha 27052020 LOGICART,S.L..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:384'000 bytes
First seen:2020-05-27 12:11:12 UTC
Last seen:2020-05-27 13:17:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:NqBwOyzK6tCgOgovSnQ8Pcl9szftBNfd4b8dwpVkIpZ4UK2XmhMoMkMJ1D770inT:jOgovJszfvN6b8dwYIL4UK2Xc1LMrD78
Threatray 31 similar samples on MalwareBazaar
TLSH 3C84010CDAB88BB2D63483F648DF105447A0039A149FD77A6DF281ED1EDA7524E83A5F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: psm91.troy
Sending IP: 2.56.8.190
From: PAGO EXTRANJERO <facturacion@tesslibrenta.com>
Subject: FACTURA 1-220348 Fecha 27/05/2020 LOGICART,S.L.
Attachment: FACTURA 1-220348 Fecha 27052020 LOGICART,S.L.UUE (contains "FACTURA 1-220348 Fecha 27052020 LOGICART,S.L..exe")

AgentTesla SMTP exfil server:
smtp.ionos.es:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WBN.23526.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 12:36:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
25 of 31 (80.65%)
Threat level:
  2/5
Verdict:
unknown
Similar samples:
147309d384fd0ed8e6a3698651758454bce4f03b3df8a89a68a430ca8456d71c
AgentTesla
238c9a018dbce6149172fadd2b55baac36b4f6abf2847cc5f9f0fa6d31b4ad41
AgentTesla
2a4abd200745105770d74dbf311c5c1b4cfff4ce743cadd3d0cce2060648a119
AgentTesla
a2de45e108c6485ea29fb9952e55ca447df0414dfbefd5d0b7fd252c54d69d3f
AgentTesla
ad8a8821c9cb28b58d786906fb8e02a7c6c6fea304b7d1d80c9d40a199a4d9a9
AgentTesla
b02ff8c6708daa0385f7f5a227c85f9bebeb13e493a3f47f1caeccb1f1dc1ca8
AgentTesla
bcae322a6b33a3a45430e956f4051c920cb52ae6e843a3d476d8278a9a1ebfe4
AgentTesla
e1883cee535185cf45198efb88f2fb91e09c237c408d60780458b4c4fd50dcc3
AgentTesla
e40bb15dfd26c885e2c303d3d2a0cc1d63ce162f8414c0304cd268321a2532ea
AgentTesla
e4e29eef439bf36287f9dc660155697cc2d227fbccd34d95a8b59c5451ba5287
AgentTesla
+ 21 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201109-5hhqvesx3n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

uue 2f4f0827c3cbafae4ef072a8b41bff856616074dbb541e232d1a3257f788cff8

AgentTesla

Executable exe 7dfe0b47bb69bb9fb2972e346d3699ab7a0a983e8e70e4cf3bd300d1844d2fe1

(this sample)

  
Dropped by
MD5 0066c2d3d00c4671cc3203c1bbb66717
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2f4f0827c3cbafae4ef072a8b41bff856616074dbb541e232d1a3257f788cff8

Comments