MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a215d79e7703e7f3b7a4c83ec0588f8d803fee7395aacb48355f4388fa3bb45a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a215d79e7703e7f3b7a4c83ec0588f8d803fee7395aacb48355f4388fa3bb45a
SHA3-384 hash: 16ae0b7d25d0f7ecf6f1ae55cd53b0356defd9cd490bdbd269d19c25364fcb5c554e9ceff3878468d5edc50cdc7434b1
SHA1 hash: 824498d32dd96df751636b0708e3fa6ccb79f3da
MD5 hash: b54c0a16b8ef146964407ed92fbf37da
humanhash: north-magazine-north-missouri
File name:invoice copy.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:415'232 bytes
First seen:2020-06-26 06:12:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:GVXvhTrD462atRdHOYxlnFyYg57Yx8zjH:GVXvhTrqATG7Ym
Threatray 10'586 similar samples on MalwareBazaar
TLSH 1994DF0123A89B1BDD7943FDF021225503BA711526E2E6584FCA20EE7D2FB874B576E3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: yandex.ru
Sending IP: 95.211.208.58
From: Export<ac.general@yandex.ru>
Subject: Urgent Request for Account
Attachment: invoice copy.pdf.z (contains "invoice copy.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/14596/
Detection(s):
SecuriteInfo.com.Generic.mg.f75bcb16ae21df7e.11718.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a215d79e7703e7f3b7a4c83ec0588f8d803fee7395aacb48355f4388fa3bb45a/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-06-25 22:29:12 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uik5phtxapt7hn5eza7maweprwad73ttswvmwsbvl5byr6r3wrna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12b8f1b224e66e7fcae47229c008f04c435cbc98dff24c4a4092a80f26b67924
AgentTesla
2fa927f3deb121b021b9d9ada6697febc104bbdedf4f0b0e3939096019506de1
AgentTesla
7bfef06a2f15aed4eac113ed1f95d62d9734fd8ae39aa841b8e66e6e43699266
AgentTesla
93152b69f096e83b405df3768ebe3cda65140e176152ce5bd4f5b23df17aeda3
AgentTesla
b4d253fd7bee0ac5be341956d6dcce635957111e207bfee5af0fa9067b066bcb
AgentTesla
bd41417bfd1a5a3a4728eda91829dfcf381d84029a929a5fc23a0c03397042f0
AgentTesla
bdcc7aa652bc9e11d479f3637444a623bdc3f013a8009f1b2c98f0b096c0a7ad
AgentTesla
d04dcf3acadd338b0f37c1299d9fe0cbace1d8eced56c3150f2b982739ff7447
AgentTesla
d1ae53434dc30f928a0062ca8e93b070a4c3e359c9709875e59c332dc6170b6e
AgentTesla
f1b5f045df72f5e6f35be5014e0884ef0a5ce1255b558461647340044573ba9e
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200626-p55e8mjbba/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z c1a8bd777508dfb7c79167e8716e28bd47ed40affbcbee2c9f988b282d7c22ed

AgentTesla

Executable exe a215d79e7703e7f3b7a4c83ec0588f8d803fee7395aacb48355f4388fa3bb45a

(this sample)

  
Dropped by
MD5 4e809b0bddd654bb27d76fd04aa20d33
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/14596/
  
Dropped by
SHA256 c1a8bd777508dfb7c79167e8716e28bd47ed40affbcbee2c9f988b282d7c22ed

Comments