MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 83d241c20ffc94939381729ea8ec515ba5b55e7b56e1c8beb40949bb7d3e76fa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 3 File information Comments

SHA256 hash:	83d241c20ffc94939381729ea8ec515ba5b55e7b56e1c8beb40949bb7d3e76fa
SHA3-384 hash:	d541fd6c43263c88ff6680a829780f6d1b4219b26b30778e8f851592d371da293202bf71fb7e9a9e54d6c38de00be1e6
SHA1 hash:	ada33c885b7ea4854213b6071b2d42cc5465a6a3
MD5 hash:	16afbfec52c247f74a6757f57f810c60
humanhash:	chicken-pizza-white-magnesium
File name:	payment of your invoice.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	435'712 bytes
First seen:	2020-06-08 06:51:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:fD+fWvIuJkl5T3D3TJsRuGF/MbHRcO6hJ+9H:Cfmkl137NsRdu6O
Threatray	10'720 similar samples on MalwareBazaar
TLSH	0094120437E9AB26D57D43FA2090221293747717BA33E76D4CCA71D70AA7F414782EAB
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: lloydinsulation.com
Sending IP: 95.211.208.25
From: IMPORT<csb.somesh@lloydinsulation.com>
Subject: URGENT!!!! payment of your invoice 10000199
Attachment: payment of your invoice.zip (contains "payment of your invoice.exe")

AgentTesla SMTP exfil server:
smtp.proetizo.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-06-08 01:08:19 UTC

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qpjedqqp7skjhe4bokpkr3crlos3kxt3k3q4rpvubfe3w7j6o35a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2e8f8383cfdb7a42c9e5ced3469619f6154b874616a2dd793693f3b53ec5cae7

AgentTesla

32e7be2844e7be1f6ae7d262eeebe64926946ebbc8e2d91ce3760b8e1d10285c

AgentTesla

740ad559a3b83f05776ac9f2c650c3d6268d63848c556770c57a9e6edd9f03f5

AgentTesla

7d01a97eb5e90a8c74c6a16961ab1a1bff4a1408779e46cf769bb5889d2d44bc

AgentTesla

c50ba6556752607323e0e14d5429961d9af3804d9b45f8c7755ec1709efc6af3

AgentTesla

dd1dbd01bac8f1ba75f1279f9684e5f6a706559acaa2db285697c5f5e3258a31

AgentTesla

dfca8cf09994229afec678b5c279d247e3e69c45f2878f816025b4933f3bc3b0

AgentTesla

f61fba92541b23921c7904cd689121c68b8bf69780220586227bf01c9816c68d

AgentTesla

f669e4406244692e23e031d355e53b51dee1b96f1e988172a2b1eabcd0d82292

AgentTesla

+ 10'710 additional samples on MalwareBazaar

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar