MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 977ce0ef145f86fe87581278a8ee9f9d177dcb42c55cd070215d347c3240a596. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 977ce0ef145f86fe87581278a8ee9f9d177dcb42c55cd070215d347c3240a596
SHA3-384 hash: 01301ae69db27c09a2fcea777edcfa5980d87dc373e0e2fb36d96f07678fe47363ca97bb0539a42bada5f69cecce454e
SHA1 hash: 44588c6bd3cfe7b466be5e93b32da4f56efd86dd
MD5 hash: 5b28351f030733c6103afbc44ebdc875
humanhash: sweet-washington-ten-lake
File name:fattura proforma.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:475'648 bytes
First seen:2020-07-06 09:09:36 UTC
Last seen:2020-07-07 13:48:14 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'476 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:Pv7SeG7i+n3HAApBz+HVlvocN3cuuD39kEz+cDJhToWRPvajY8lDiKQheukEXHlq:HuhPn3VkAU3s9V3Pva8/5EgG13L
Threatray 10'697 similar samples on MalwareBazaar
TLSH 23A4E0720647FECBE72D4F78D15412400EB82C6BEB75C948BDC831CA62B6F548A79A31
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ngay7.localdomain
Sending IP: 45.127.62.109
From: Eva <alex@ale-heavylft.it>
Subject: Ri :( Fattura pro e pagamento TTBS)
Attachment: fattura proforma.zip (contains "fattura proforma.exe")

AgentTesla SMTP exfil server:
smtp.waltartosto.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
77
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/21418/
Detection(s):
SecuriteInfo.com.Generic-EXE.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/977ce0ef145f86fe87581278a8ee9f9d177dcb42c55cd070215d347c3240a596/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 09:11:06 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s56ob3yul6dp5b2ycj4kr3u7tulx3s2cyvona4bblu2hymsauwla._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38c7abbdbd7cec9dd5f83cb39a036052136c4fbade6b323f2a4b2d4c8af2619b
AgentTesla
5568021e42a81a2755fd6d968efa50b13f99a9997d8973097231079de84832ad
AgentTesla
70e55061f4e965a512c042bc1541f3d4e5a910a493ffb63d5a123f9c82a94f70
AgentTesla
7e393bcd518415ad70e7a6924c8798391400554fce9c2a639a891dcda4f8e230
AgentTesla
916af86a5bfa7f558b376344b9aaf6e4440d21f2b38da0bb9fd60b1d4a578809
AgentTesla
adbdc4cbb6b8805700fcfd618e763872f6960f5989a62c9cdffc961d9b0f3e39
AgentTesla
af7aa3b76b8d11ba1d518006e2b4ea6d574573bd2bba6594a57825e33f9ed87c
AgentTesla
b81898c8e22774e33768ab962a3acca0c718197c2b4434f3ae51761569bd7ccb
AgentTesla
d16f873e2941fb953e381f4bcf8bcb347bfa1125efa06c71706e02c960717213
AgentTesla
e47d2283c026db3c1d24b547699e99b6306c795616e2d13eb107de9a6eb938ad
AgentTesla
+ 10'687 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200706-qr7kahnmw2/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6d9eaa1b79232453fcc2c713cb68afdfecddb09b6dab5712fa417e5bb6efa654

AgentTesla

Executable exe 977ce0ef145f86fe87581278a8ee9f9d177dcb42c55cd070215d347c3240a596

(this sample)

  
Dropped by
MD5 a49364380ba3f0dbd284d354eddf6e89
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 6d9eaa1b79232453fcc2c713cb68afdfecddb09b6dab5712fa417e5bb6efa654
Cape
Cape
https://www.capesandbox.com/analysis/21418/

Comments