MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9b208626baf60ec7f5a78b4fcce9f9a51ef0f50f3b56adf522526526aa77b374. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 9b208626baf60ec7f5a78b4fcce9f9a51ef0f50f3b56adf522526526aa77b374
SHA3-384 hash: 16f5bec0377a41be7f7460a099db73fa7f8f5b3cc504008d3f1c55a802106c9327f4ffb420e470c2436669bf2e02b027
SHA1 hash: 53254b9f0f20996d9d73342fec0a586ff5ac74e2
MD5 hash: 64ea6ba4532b38e5e76eda125a8788b0
humanhash: north-violet-carolina-cold
File name:Cita invertida pdf.exe
Download: download sample
Signature AgentTesla
File size:473'088 bytes
First seen:2020-06-29 17:44:37 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:pABzd5TKz4euG5HKKWy6ulU+Ucya2DBoEnti+KdBCL:pUdxKzoG1NWy6pP1aaXtQs
TLSH 1DA4F118326C6B37C9AC59F981827E8103B490B63543F7DE4CCC61E516DAFBD8B025AB
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: correo.districomp.com
Sending IP: 179.27.74.228
From: Iporras <lporras@unicon.com.pe>
Subject: Cita invertida
Attachment: Cita invertida pdf.7Z (contains "Cita invertida pdf.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
32
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-06-29 17:40:15 UTC
AV detection:
24 of 31 (77.42%)
Threat level
  5/5
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

ee12f13a0807ea927726fbd411a7819c

AgentTesla

Executable exe 9b208626baf60ec7f5a78b4fcce9f9a51ef0f50f3b56adf522526526aa77b374

(this sample)

  
Dropped by
MD5 ee12f13a0807ea927726fbd411a7819c
  
Delivery method
Distributed via e-mail attachment

Comments