MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b87cc774298ac7e6db8019cfd657e7d9874d638d034238d260e0bf08f1b7f23d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b87cc774298ac7e6db8019cfd657e7d9874d638d034238d260e0bf08f1b7f23d
SHA3-384 hash: 5381e99896e0e30285f96f9b3a9f341c5d84031e05e2d52a5a9036907784f5ab50a319033c1db2443afc58cdf74028f3
SHA1 hash: a87995a0f3f9352e0eeb2b7ca55c3bcb1d53348e
MD5 hash: 4af9079a6228f2857a84e35b098d6bdd
humanhash: william-delta-mobile-sad
File name:ztYQWLnqiKzUcTg.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'113'600 bytes
First seen:2020-07-20 12:53:09 UTC
Last seen:2020-08-02 07:33:44 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 12288:xnYDfM85661q9I6/kldSCGDyaod+ik4g8y3SoDWiD+JUh5RLlNoMRhhdDJro8LES:t0566OPW2rEloD/DaU/KuDJrvQSnC27
Threatray 10'638 similar samples on MalwareBazaar
TLSH 4435ACD53641940BC2DD2E7A4F41C930C361DD89F6F6E26227E26DEB3DBD26BE820191
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: wilhelmsen.com
Sending IP: 88.218.16.194
From: Wilhelmsen Ships Service <thanh-trung.le@wilhelmsen.com>
Subject: MV PRABHU SAKHAWAT APPOINTMENT
Attachment: 00006765467.xlsm

AgentTesla payload URL:
http://88.218.16.20/ztYQWLnqiKzUcTg.exe

AgentTesla SMTP exfil server:
mail.qatarpharmas.org:587

Intelligence

File Origin
# of uploads :
3
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/29125/
Detection(s):
SecuriteInfo.com.Artemis4AF9079A6228.9760.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391616
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b87cc774298ac7e6db8019cfd657e7d9874d638d034238d260e0bf08f1b7f23d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 11:07:58 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xb6mo5bjrld6nw4adhh5mv7h3gdu2y4nanbdruta4c7qr4nx6i6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
131d016519d6ec1f5ce66362f5c4c917d4cdf0648242f20272b59a43764c53f0
AgentTesla
1a833542a69d8d09c66269575771e81866bbfc6a25d697166fbef41a715d6436
AgentTesla
2699d730f222179c1d8d1fac889acf4a7bccffe197d58d1426a7f3431ba2194e
AgentTesla
38c7abbdbd7cec9dd5f83cb39a036052136c4fbade6b323f2a4b2d4c8af2619b
AgentTesla
3a485b15429ea9e1d54323b99052639043dcd201ad854a4aa926cc923412483b
AgentTesla
bfa03a66eb0b9720abf3efe1e9a220daa682dcb69f6bb6febdbc56bb9624e77f
AgentTesla
c5950364dc53023d6222f8a8a5bec8420e80ebd71175447a717b5807397a3ee2
AgentTesla
d16f873e2941fb953e381f4bcf8bcb347bfa1125efa06c71706e02c960717213
AgentTesla
e47d2283c026db3c1d24b547699e99b6306c795616e2d13eb107de9a6eb938ad
AgentTesla
+ 10'628 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200720-k2e14ckjsa/
Behaviour
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/b87cc774298ac7e6db8019cfd657e7d9874d638d034238d260e0bf08f1b7f23d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm a5b55a2e907c77d723c7b81102f0691c405f43e7ee822e918d917d116500f9a6

AgentTesla

Executable exe b87cc774298ac7e6db8019cfd657e7d9874d638d034238d260e0bf08f1b7f23d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/415202/
  
Dropped by
MD5 ad0af69b5d09b0efa067582cc6096916
  
Dropped by
SHA256 a5b55a2e907c77d723c7b81102f0691c405f43e7ee822e918d917d116500f9a6
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/29125/

Comments