MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9de8f1dc72cc6be96872e627f826014de9f199f163790b929565c939ddbaf7ad. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9de8f1dc72cc6be96872e627f826014de9f199f163790b929565c939ddbaf7ad
SHA3-384 hash: 29b0474eda92051008431326d67b17744f5787360c4bf4a127b923314b2d440c73abc10031239954b862b02570476675
SHA1 hash: 13b125d364e7198e5173e704830d6d8c7f17892a
MD5 hash: cc74b310f3466098da519165458717a9
humanhash: indigo-floor-whiskey-eleven
File name:copy-1890SS_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:759'296 bytes
First seen:2020-06-23 14:03:13 UTC
Last seen:2020-06-23 14:34:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a3bfafd3839d7a926bcc393a99921236 (14 x AgentTesla, 10 x Loki, 3 x Formbook)
ssdeep 12288:lDRuXrEbb00e9ElcwOixtthKGc7WR5Sc7YpDqII4nZc5Kb8TGV:JYbQhe9RKthmg5ANIAq5KITI
Threatray 11'030 similar samples on MalwareBazaar
TLSH F3F49EE2E2E049F2C162157D7D9BD7789826BE5139285A472BEDFC4C9F3D241343A283
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: coscon.com
Sending IP: 103.133.105.166
From: COSCO SHANGHAI SHIP MANAGEMENT CO., LTD <coscon@coscon.com
Subject: subject : COSCONSEA - Statement of Account for CAU7223468450
Attachment: copy-1890SS_pdf.gz (contains "copy-1890SS_pdf.exe")

AgentTesla SMTP exfil server:
smtp.samco-sg.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/13065/
Detection(s):
SecuriteInfo.com.Win32.Herz.B.29682.7947.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9de8f1dc72cc6be96872e627f826014de9f199f163790b929565c939ddbaf7ad/
Threat name:
Win32.Hacktool.CeeInject
Create hunting rule
Status:
Malicious
First seen:
2020-06-23 09:43:22 UTC
File Type:
PE (Exe)
Extracted files:
294
AV detection:
28 of 31 (90.32%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=txupdxdszrv6s2ds4yt7qjqbjxu7dgprmn4qxeuvmxettxn266wq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
20d9b3f41efb5490b00ffa6a8836dc9f9d379bbf1cce07fd022f641d162649bf
AgentTesla
394f162ad3fd881b928c5534c22a2c81c7db33b8c7e874645fa409599cfd5113
AgentTesla
435e6e086381079a2053bf32c6eaad7e3689ae4a3f9dc667f162d0fe0df9c06d
AgentTesla
4e892591da59a34dbe9f193aee50de68ada3b074011a28f14323539147c554a6
AgentTesla
5d8edb52dabb7850b75a9bf3f899756425401e26b221fba7117c9627ae844590
AgentTesla
701e84680fac486c256f487ab9c8a6d5c7efdba7eb653fc13481c75c7f9c1ed3
AgentTesla
8ab06fe2aa7c86e6f8546d38e93a8526705f63938c0a79c74d1beee30490bcc4
AgentTesla
bd41417bfd1a5a3a4728eda91829dfcf381d84029a929a5fc23a0c03397042f0
AgentTesla
d23143c08dadac0a9421456456e6b86934fcde6833dedd9461a9b1ec111e1931
AgentTesla
e8a56f0e1fb9b0979cc6f15adde89228cade12313130671eed959bdafa39f8ee
AgentTesla
+ 11'020 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200624-59kyfaxqw2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: RenamesItself
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Adds Run entry to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 13a74988668d6b5dcfe9479216b3d0f6b627fad124c9652018a5af4fe9507d98

AgentTesla

Executable exe 9de8f1dc72cc6be96872e627f826014de9f199f163790b929565c939ddbaf7ad

(this sample)

  
Dropped by
MD5 e9a8b05e7c427266f453651f0d21aac2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/13065/
  
Dropped by
SHA256 13a74988668d6b5dcfe9479216b3d0f6b627fad124c9652018a5af4fe9507d98

Comments