MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87f94a2fca72d8b4a2317257b3333d415ea4a9f28ac1470967f7b30e775030c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 3 Comments

SHA256 hash: 87f94a2fca72d8b4a2317257b3333d415ea4a9f28ac1470967f7b30e775030c2
SHA3-384 hash: ef40b06b87fada30cb580a2b3f2bf3f8687ecaf546974171281c85234aa3dd28ae5ff5320e9ddbbc4b8b7f769bb1e499
SHA1 hash: f9ecfab5740a0d2947686dc6802e9759214be317
MD5 hash: 4c2b89f7f2367057d2b74c7cf3eccdd9
humanhash: south-florida-one-wisconsin
File name:Purchase Order No. 6095-SAP (Ref. No. 587-MCS-19).exe
Download: download sample
Signature AgentTesla
File size:465'920 bytes
First seen:2020-06-30 08:59:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:RHtv2x5k5mPCWdgDJQsidDqSeJu0IttntGjp4zcIjD/cOl1/zwG4dL1wI3e6A:ReiKgDLMDP2uhGjp4xZB4F1i
TLSH C2A4F118736C9D2FCB781AFE81516A050BB9D87B3486F7D94DC620E898DAFD40E43927
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: vega.awedns.com
Sending IP: 101.99.77.52
From: Hit Computer - Terry <terryssw@hitcomputer.com.my>
Reply-To: Hit <nicolasdiegonicolas@gmail.com>
Subject: Purchase Order No. 6095-SAP (Ref. No. 587-MCS-19)
Attachment: Purchase Order No. 6095-SAP Ref. No. 587-MCS-19.GZ (contains "Purchase Order No. 6095-SAP (Ref. No. 587-MCS-19).exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 29
Origin country FR FR
CAPE Sandbox Detection:AgentTeslaV2
Link: https://www.capesandbox.com/analysis/17040/
ClamAV SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
CERT.PL MWDB Detection:agenttesla
Link: https://mwdb.cert.pl/sample/87f94a2fca72d8b4a2317257b3333d415ea4a9f28ac1470967f7b30e775030c2/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Kryptik
First seen:2020-06-30 04:38:08 UTC
AV detection:23 of 31 (74.19%)
Threat level:   5/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:agenttesla
Link: https://tria.ge/reports/200630-ahp2vk3bv2/
Tags:keylogger trojan stealer spyware family:agenttesla
VirusTotal:Virustotal results 40.28%

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 87f94a2fca72d8b4a2317257b3333d415ea4a9f28ac1470967f7b30e775030c2

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments