MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 895bd4c8d2a48b22575765b56e28816dfec0a3ab991140a62cf76802c53a07bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 895bd4c8d2a48b22575765b56e28816dfec0a3ab991140a62cf76802c53a07bf
SHA3-384 hash: 9f0999484afb9acd484f0aa082fb31bbc49207af1c308673bd58f65b0ea18e940714f83e7677e411379549f8f374ee9d
SHA1 hash: c6ff996d07851a9ecc9d6b962ea0f588c1e6972b
MD5 hash: 2d7d758e0772d8415c74f0e7a97e9f74
humanhash: bakerloo-lion-hamper-winner
File name:PAYMENT SWIFT COPY PRINTOUT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:690'176 bytes
First seen:2020-06-10 07:23:31 UTC
Last seen:2020-06-10 11:57:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:C7wv68+6s5pMAceqacipWri/EIAeNJRm5IK6pPevQzgWY:mwv68+1IATpZnAEEeZpY
Threatray 11'000 similar samples on MalwareBazaar
TLSH E4E48D883E086ECEC837D9F189446F146E50EC721216ED0A65F735AAC53DFD7AAC41E2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: tucker.com
Sending IP: 103.133.105.20
From: Lisa Quezada <lquezada@tucker.com>
Subject: RE: FWD: WIRE PAYMENT CONFIRMATION
Attachment: PAYMENT SWIFT COPY PRINTOUT.IMG (contains "PAYMENT SWIFT COPY PRINTOUT.exe")

AgentTesla SMTP exfil server:
mail.ilclaw.com.ph:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Threat name:
ByteCode-MSIL.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-06-10 07:25:10 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rfn5jsgsusfsev2xmw2w4kebnx7mbi5lteiubjrm65uafrj2a67q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10685563fb0d52b8ca9f665512360a688085485c461cfeaed678a9376a9fe86a
AgentTesla
162a5aa5e6e0298edbae1a494d2a3e177f0fb42b1c2e35eaecdbe1715d519694
AgentTesla
23f373877f7e464405b857ef0c110f08a037d6750c3af4b60c16dc709b569c27
AgentTesla
268ea227f9a30b6221814ba9efe354f2ab07607b6273c8b51fb33d19aa332295
AgentTesla
4291277336e3c27f2cc05278635f7724fa2ff4af06a547ca5a04ac91c3d71fa0
AgentTesla
4f2846c19f7e54543fae47f03571e84dcb40835e1d24d8d3b2cb17b92545a22e
AgentTesla
950d32041bd422de6e75703707b17e94f27235d3632387f02d21160c71d2735e
AgentTesla
c5e0aca5108536d030a5ca781ae1610f8868d67082e35bf3ba3123f333dd27a3
AgentTesla
cf13202e5434ed24d8aa3c5c726735a4b3937269f44963bd6476467b63ab8a5e
AgentTesla
d0be07347ce319cbce0fa252c4a030834dafe118c2ea50a6e05951ecf06b20da
AgentTesla
+ 10'990 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-567wg23mc2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
ServiceHost packer
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 9bd4a5705120b3a1abb8df8d94849558d4c6876ccb014716214c7e5560cff48c

AgentTesla

Executable exe 895bd4c8d2a48b22575765b56e28816dfec0a3ab991140a62cf76802c53a07bf

(this sample)

  
Dropped by
MD5 618862c7a5793917cd1756d6d99dc207
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9bd4a5705120b3a1abb8df8d94849558d4c6876ccb014716214c7e5560cff48c

Comments