MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396
SHA3-384 hash: 45a6843c431abb217f989ccc1007c6352c91a4bf72579283a0753b0f8e70ff5d3d9e8394327fdb9314b24dfef3af8463
SHA1 hash: 7af28dc2d18281e450738b4a477cd14014458e72
MD5 hash: 22f207e5e15c4ec19b80e07fa45967b9
humanhash: ohio-mockingbird-missouri-spring
File name:import_documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:404'992 bytes
First seen:2020-06-28 07:27:04 UTC
Last seen:2020-06-28 08:45:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'601 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:SFW+0+AJPMrQRxmZe0p+t8McIU3fJM/uqcqu39HmKKAqxBxiNsBmf/3oKg:w9+PRxmZFpa8vIR2qG3xmKKz4f
Threatray 10'625 similar samples on MalwareBazaar
TLSH 2D84CF25565E8230C7AC0B3698B4622BC7FD5123118B9B4B5E9F2FF54523FC4288E5AF
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.example.com
Sending IP: 45.147.162.82
From: ALMY TRADING COMPANY <admin@genoram.tk>
Subject: 回复: 回复:30% as deposit slip of 6 units 6 x 4 Tractor Truck in the amount of $ 80,523.00 only
Attachment: 30% as deposit slip of 6 units_images.zip (contains "import_documents.exe")

AgentTesla SMTP exfil server:
smtp.office365.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/15151/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.348.23243.23577.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-27 17:54:46 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7ei3y5ioxdzs6ru4ahiy7exk57qiyzsqeo455wlu7btwn6eeola._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0471b3fae6b442df8ec3b595b5d090527127d3b9a75eb0f12f3e5647d03256c5
AgentTesla
1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd
AgentTesla
1eeb2016c83b430e5e444f7dade67a84d441061180087ac57eb8f89d196d4773
AgentTesla
678b9fd48c80a3dd4db9ecee8a22ef3d4ef4ce32a2f5778c5ee6d6f15758c8b1
AgentTesla
78ad62b24107f198b9f433c8eceeecbb346394da7fc16578cd68d70eb892dc0b
AgentTesla
b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93
AgentTesla
b724556bd0d2324ae566eb3a0c2f433bdbb2d2e4d83d4e6e0058d6c8b1edf188
AgentTesla
e632088f3b6717d23c6053d3b3e917a71684475d2a23876b34c3fca2dc7424d1
AgentTesla
efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb
AgentTesla
f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42
AgentTesla
+ 10'615 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200628-za6vkbc942/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Adds Run entry to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0297de22b433fe7ecee63b5f80b78c4749bb8f4cfec0cd737713d87781d1db52

AgentTesla

Executable exe 87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396

(this sample)

  
Dropped by
MD5 e1bbf29e91649fd3a3c7a6b20a301860
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/15151/
  
Dropped by
SHA256 0297de22b433fe7ecee63b5f80b78c4749bb8f4cfec0cd737713d87781d1db52

Comments