MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835
SHA3-384 hash: bc8ec0328860714f53b62d9d9048145fb9b4e081ab064b87f690ba9727b225f5b75f0b0e5ed202e79b90c82435556f8c
SHA1 hash: ec34d3e46733b924109b2b497c2d71af5a7a068c
MD5 hash: 76d8613a1f8e6d4ee26f371216e0b9dd
humanhash: nineteen-double-lamp-oxygen
File name:MEDIFORM SA COMPANY PROFILE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:543'232 bytes
First seen:2020-08-18 12:05:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'612 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:p8FKT5iFLXjKh9bnDFmi9j3JxU6oOhEtpPUdx49jq:p1IPC9bDQyj386oHtpPUdK9jq
Threatray 145 similar samples on MalwareBazaar
TLSH CEC402183224F29FE86F8DBA99985D70477131AB930BF3669C0399D9695DAD2CF000F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: tacadenaplc.pw
Sending IP: 104.168.253.8
From: Mediform S.A<mediform.s.a@hotmail.com>
Subject: Re:Fw: Request For New Inquiry RFQ
Attachment: MEDIFORM SA COMPANY PROFILE.rar (contains "MEDIFORM SA COMPANY PROFILE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
64
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/47799/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Enabling autorun by creating a file
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-18 05:20:39 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wubpo5hjdexxpktrgnd7e5d3m7pvurz344qse27qwlmyxx7yva2q._file
Verdict:
unknown
Similar samples:
144903e623b5997d6856a3880393ebe02411b41c1aec3460168a59e2ec00aba5
AgentTesla
1e951012c34ea9b3762e742c890933a799c4c487abdc7639abae579eebf50e9e
AgentTesla
381f02195474516491ab7964f7c266d5b8dfb99e0b84b359bba583ba6fd8ff88
AgentTesla
45eac93db3a0554afa555fdfced45c8bd9d5c973d05f3e4b40219be984dd0d28
AgentTesla
5f928f6a534f2420969e9072892d08011473d5993a183c515f2ff2620a33a56f
AgentTesla
677eca0f74afb71debcf21e53261c6bd8adf27d2fd8ac99e0a5e9e7b2231f5fb
AgentTesla
723071d4e54bdfd50d7ca47b02f67ea70aa59ddffbab36d8dbc5eadfd4b799be
AgentTesla
768106dd85ae7bc7664caf2a3cf70bb0912e701f142b0f47569fbb6fe0716a8f
AgentTesla
79332d4d6e67f0249eb82809d637d6337823e0236ca39c99dd1aa0519ea834d7
AgentTesla
9f20023fc4c5c192804b85d3d206b9b78cbce88746d8611a69d27f40228d1f0a
AgentTesla
+ 135 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200818-m6cca5la3j/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 0c11f2f59990e9ef2c7439bc83da55fb0f7adfcdf19635e62f0356787e43a9c2

AgentTesla

Executable exe b502f774e9192f77aa713347f2747b67df5a473be721226bf0b2d98bdff8a835

(this sample)

  
Dropped by
MD5 5c7bf06c5f2880bfd3b6ed0f71b9b4e5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/47799/
  
Dropped by
SHA256 0c11f2f59990e9ef2c7439bc83da55fb0f7adfcdf19635e62f0356787e43a9c2

Comments