MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92f6d1e82205b64904076dbcb9909bc3ff06cd4c58c87518470eefdd8b4df084. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92f6d1e82205b64904076dbcb9909bc3ff06cd4c58c87518470eefdd8b4df084
SHA3-384 hash: b7ca826c719fad9cbec3cc5b89c778b904eedf97fd4f4aa553fd11de5e586d82aa626921de8b6466a6f17b00afa27aa8
SHA1 hash: bc12640a4387d50155642bf773337620b2112ae5
MD5 hash: 531490e562cff3b98b57d65c7ef93801
humanhash: maryland-oklahoma-maryland-sixteen
File name:REFERENCE FOR QUOTATION AYBF001 PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:708'608 bytes
First seen:2020-06-08 05:37:25 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:pEYNg3bJeUp+kOuz3bGIrPGiL4R4iHOhF8/ol8Zh:eY+bJ9muTbGsPGiSoSG
Threatray 10'592 similar samples on MalwareBazaar
TLSH 57E4D8E1B340949DE86769B9483ADDB32023AE6E9D2D510D2496BF1E7E7335700378CB
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: zcs-mta01.frontiir.net
Sending IP: 59.153.89.50
From: Harun Ozbek <soe.aung2@frontiir.net>
Subject: PR259 BIO-MEG] AYBF001 Hot Oil Heater / RFQ / Toyo Engineering & Construction Sdn. Bhd++
Attachment: REFERENCE FOR QUOTATION AYBF001 PDF.IMG (contains "REFERENCE FOR QUOTATION AYBF001 PDF.exe")

AgentTesla SMTP exfil server:
smtp.logscome.xyz:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 804e4bed814e56303457f36a0d5a6d8df998a719f03e35943f375d2423d930fd

AgentTesla

Executable exe 92f6d1e82205b64904076dbcb9909bc3ff06cd4c58c87518470eefdd8b4df084

(this sample)

  
Dropped by
MD5 ecc1991bf8bd432db81c0eb7f1439dea
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 804e4bed814e56303457f36a0d5a6d8df998a719f03e35943f375d2423d930fd

Comments