MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f9d61cafc1ba6c3438d0627ca782cb90ee750d9ae39aa7e57661dea0f7bd5c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 7f9d61cafc1ba6c3438d0627ca782cb90ee750d9ae39aa7e57661dea0f7bd5c7
SHA3-384 hash: c37de5ddd270f6483a0b422f63670e0aee4f6a9aef1631f177d1c3e7b8a971570e373c7fdee56faa97341e0258b0cf12
SHA1 hash: 9fbdf68bfa4f708a1b1b9f6ba04800fc524158a3
MD5 hash: 72ed8d80ded5c6f7044fafa1a67f9e47
humanhash: snake-six-cat-nuts
File name:CONTENEDOR DE COMPRA.pdf.exe
Download: download sample
Signature AgentTesla
File size:453'632 bytes
First seen:2020-06-29 19:21:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:cc5lCCgL9qsdLR79b9UOKqurLEXKdrznI9Xyr/HAumNXHVFRV7/+ctv2x5nJVI6C:cc5lCfJpdLRR9C7ayIghg19/+bm
TLSH AAA4F128361E6A7FCA7C45F541A2660503B5D1A634D2F7D68DC370E424EBFF84A83A27
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: sl2.cyberfuel.com
Sending IP: 190.0.224.85
From: calvear <calvear@alfa.com.mx>
Subject: CONTENEDOR DE COMPRA URGENTE
Attachment: CONTENEDOR DE COMPRA.pdf.gz (contains "CONTENEDOR DE COMPRA.pdf.exe")

AgentTesla SMTP exfil server:
mail.trademaxperu.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
31
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-06-29 19:23:06 UTC
AV detection:
25 of 30 (83.33%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

c9c16e29e3661eb0a9b84b7b3123f755

AgentTesla

Executable exe 7f9d61cafc1ba6c3438d0627ca782cb90ee750d9ae39aa7e57661dea0f7bd5c7

(this sample)

  
Dropped by
MD5 c9c16e29e3661eb0a9b84b7b3123f755
  
Delivery method
Distributed via e-mail attachment

Comments