MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abbcbdace318afff0408188e4e1025ebc49c3157838066d775b5e70a5c8c2620. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abbcbdace318afff0408188e4e1025ebc49c3157838066d775b5e70a5c8c2620
SHA3-384 hash: 7d912c88411bacd12ac37269d0cef3e9fb91c84cfeb7a08e4f849c457956ca536c0baf7364c828d11e183bd4c55aff2e
SHA1 hash: a514c5f3d637dd86af5d32ccf55bd7df2a3abec1
MD5 hash: 3108d539e45f8a66f4ab8b2c5e20497f
humanhash: pasta-artist-mirror-xray
File name:znol5gxxtd2gytr.msi
Download: download sample
Signature AgentTesla
Create hunting rule
File size:503'808 bytes
First seen:2020-06-19 09:33:55 UTC
Last seen:2020-06-19 10:45:18 UTC
File type:Microsoft Software Installer (MSI) msi
MIME type:application/x-msi
ssdeep 12288:OE8tuSZEgn05KWKlYUqTTZUtN7CPhHvcx8fi2suDwY2iN:OE8tuPc9W9fTGv7CPlvTq2JcY1
Threatray 10'629 similar samples on MalwareBazaar
TLSH 61B4125C76E8CB36DDEC0378A9A5857153314D81AAD3E76A6EC4F5AB0E7338082905F3
Reporter abuse_ch
Tags:AgentTesla msi


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dunjimowa.com
Sending IP: 167.71.118.128
From: kigaliimportexports@gmail.com<kigaliimportexports@gmail.com>
Reply-To: <kigaliimportexports@gmail.com>
Subject: RFQ for New Contract
Attachment: qVrqVsDf0a1t_3601107.xls

AgentTesla payload URL:
https://dokivsem.com/lmage/znol5gxxtd2gytr.msi

AgentTesla SMTP exfil server:
mail.eljsn.website:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/19867/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.43622.7211.24220.UNOFFICIAL
Create hunting rule

Result
Threat name:
Unknown
Detection:
malicious
Classification:
n/a
Score:
48 / 100
Link:
https://www.joesandbox.com/analysis/377929
Behaviour
Behavior Graph:
Download SVG
Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-19 09:35:05 UTC
AV detection:
18 of 31 (58.06%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19a180b5e3696a27292810125957efca24a09e7743d951e5386bd69daaca8dfe
AgentTesla
35912ff3b78d0699082450202cc16cec5c11447c39ec0e4db7738c188662f0c5
AgentTesla
3c1c87b3785b1643eb9c1f44286594879683b8993bd68f5ce0508d45e81201d0
AgentTesla
8a1bab54673df9e46725e035d92723321576c1b871ac44facc775881d39f44a7
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
983642426c54efb09b590e6f4344483d07b99a9e3a2551d504d4293183d701c3
AgentTesla
9c95f96fa58267c6defa295d7ed8909fc5c2596ad572fc17acca4281f21aaeff
AgentTesla
c134ba3043baebc93025b74a07ce9a439ea463fce0a43d4d9ef15d62871e28ce
AgentTesla
d3168e892cc0eac2e010fa380fd64aae8c55acddb06344b543a6fb0cc05e8dd3
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
+ 10'619 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence rezer0 spyware stealer trojan
Link:
https://tria.ge/reports/201109-sb2p1hs8kx/
Behaviour
Creates scheduled task(s)
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Drops file in Windows directory
Modifies service
Suspicious use of SetThreadContext
Enumerates connected drives
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
rezer0
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xls 128ed58bb6f0f83eeea8657f7a87b1aba70166be2f47279f2d975b436790c349

AgentTesla

Microsoft Software Installer (MSI) msi abbcbdace318afff0408188e4e1025ebc49c3157838066d775b5e70a5c8c2620

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/399077/
  
Dropped by
MD5 18bc0a24938fbe7f62c594f63176c14b
  
Dropped by
SHA256 128ed58bb6f0f83eeea8657f7a87b1aba70166be2f47279f2d975b436790c349
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/19867/

Comments