MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88
SHA3-384 hash: f65963a066114fb76c4c40235ed11bd26242cdb1acb0c6e944b7ee49cf583b2233a5a71f382f4e8ee55b6405b2aca94b
SHA1 hash: 6efacf0d78e23e04c5e0b5f92209f5656769ac32
MD5 hash: 82567da3ef7f191b0c0a50a4834a034f
humanhash: pennsylvania-fillet-whiskey-carbon
File name:Enquiry-KZ190520.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:470'016 bytes
First seen:2020-05-19 07:19:54 UTC
Last seen:2020-05-19 08:05:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:DVLRyP34YksQYvscUKEIcwPI5ndN1/Ko7YfDWxsd0vo1t55TkDhLQQ/NH:Pi4RBGiKHcwudb/KEYCxa0455Tk1
Threatray 10'595 similar samples on MalwareBazaar
TLSH E1A4126117BF9BE0C079A7FD25B3645837F670676D92E209EDC361DB12A2F902620E13
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mx19.dns.com.cn
Sending IP: 180.76.192.19
From: cnwll07@cnwll.com
Subject: Enquiry Order KZ190520.
Attachment: Enquiry-KZ190520.rar (contains "Enquiry-KZ190520.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.gc.5553.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Grp
Create hunting rule
Status:
Malicious
First seen:
2020-05-19 08:13:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
9
AV detection:
20 of 31 (64.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=s6gvcntocpdwsfizjp3hc4fximirlymwf3o65hpl5m7yzcoxpkea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
38784e09ac572a99811a368a4cc4ba28f949b2ada8f0ce426de03a0bf7c2ee99
AgentTesla
4196e77b555b5320913fbff4f5a329130e1f5b935f37f18e9deaa7b83f0b5108
AgentTesla
65e49a29cdfa1f1f91d5a59354ce7920a03b4aaddc0e26a3b002985d57388ea8
AgentTesla
793666eca93a68eaa6cbb34eac888c354c61cc5d92e5f8d99466020a430308b2
AgentTesla
89bd696df7073c78ebc27a60c79728b782ca27d1d82abc8b0d5aafea1d1d61d3
AgentTesla
96382f5a4c395562a3d763a7f61e09486af57987d43e5cd231063993bb6952ac
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
9d81a85ddc0cda68c4b9592df54155b4bf43f958cb17afa9a84c2f77bbbda0a7
AgentTesla
e06afa0c894ebda14b627718de1c45ac92bc1037a26592f4df7751c918bb1bc4
AgentTesla
fdf384c1cbcfbcd1bbb814f9d80ddcc4d2b3c786fda29c3a48ef7cde8f08d78f
AgentTesla
+ 10'585 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla coreentity keylogger rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-e7hgsdkazn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
rezer0
AgentTesla
CoreEntity .NET Packer
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4a1e764d1d4876d907367f1f5a6971c1a989d730a69ef4bdfc330775b053839a

AgentTesla

Executable exe 978d51366e13c76915194bf67170b7431115e1962eddee9debeb3f8c89d77a88

(this sample)

  
Dropped by
MD5 987123ffa384577269bfeffeda2b183c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4a1e764d1d4876d907367f1f5a6971c1a989d730a69ef4bdfc330775b053839a

Comments