MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c17b7612a5cd7b21ca202a966406d24d7d42047f13ba6254c5ea284d7d4fc764. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c17b7612a5cd7b21ca202a966406d24d7d42047f13ba6254c5ea284d7d4fc764
SHA3-384 hash: e83c1d1ff349e15b7fac1d8a005a89c367bceb0c8263f1996a734276e4a62211e61e6593523818ec904e8e931a53b971
SHA1 hash: dbb84608528fff3bbe56592d9385c22019cdf663
MD5 hash: 43ab1e4d8499507ba762ed516b3c46f5
humanhash: vermont-papa-tennessee-tennessee
File name:chusmoni.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:340'992 bytes
First seen:2020-07-07 17:17:57 UTC
Last seen:2020-07-07 17:59:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:RCX1G72+HCmLk5BeuA7swmB2oFu740mfqVH/Udl3wZxTom9WYFC1NHwv:RCXSH9mBek2oFp0mfqVH/Ur3Ixcm9J4S
Threatray 10'593 similar samples on MalwareBazaar
TLSH 7474D07F1DA54E54C2A21CF60F6C4329D79D292E1A3E83BFC814D91DECCD9D9A266028
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.benektekstil.com
Sending IP: 88.249.210.205
From: JEONG WOO-CHOIPOSCO <info@energytech.co.kr>
Subject: PURCHASE ORDER
Attachment: P.O.zip (contains "chusmoni.exe")

AgentTesla SMTP exfil server:
mail.lallyautomobiles.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.WOX.26468.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Forced system process termination
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Unauthorized injection to a system process
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c17b7612a5cd7b21ca202a966406d24d7d42047f13ba6254c5ea284d7d4fc764/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-07 17:19:05 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=yf5xmevfzv5sdsrafklgibwsjv6uebd7co5gevgf5iue27kpy5sa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0365844c8729d803e1e9cfc486473c346addcb06623a8781df59592ddecce3e3
AgentTesla
502a586c38cb1dd1958f5a201aedccc8d6188cc7944f0d17f31eddabccc4d6c8
AgentTesla
50926a9216bcaa109ca6434bfe263dde7e6554c47f1771a3a0da30a0a809de6c
AgentTesla
7cda3d1fc34239f1a7a85090ae4942ffe012e1f5e6dec7431062797c4d9b8c6e
AgentTesla
7d7934c353a0774e270a11d10172f1779b5d69c6e1ce219f84fd5cc8ae77ef5c
AgentTesla
823a5142f6770c65b70b35ad12d56b8a2a9bd2e6054fc2397c3cf3b8808b2b16
AgentTesla
87b32c08cb1a28d8ce4ff33d7b9f8c5fd2119f510c4b0299f31824abc283c46c
AgentTesla
968a7bf9593f8635bc6383f73cc1743b4fa776442ec7265adc138f248531bfbf
AgentTesla
a116408d80687d8690b36b9b47833c28536a57e7689d0d79d2050cf9a41d989e
AgentTesla
e2ffaab533cf46ad69fee9f095ac45555ad8de6a0581e4579e4caeb2c190b7ee
AgentTesla
+ 10'583 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200707-law4j3ql22/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip e8e78e9e5f6cef4d8d68f6aa53923c1d899bd7ad0f1094c2257e68c595a91bfe

AgentTesla

Executable exe c17b7612a5cd7b21ca202a966406d24d7d42047f13ba6254c5ea284d7d4fc764

(this sample)

  
Dropped by
MD5 2b01988b09db04abdbd45ef82f4eef6a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22365/
  
Dropped by
SHA256 e8e78e9e5f6cef4d8d68f6aa53923c1d899bd7ad0f1094c2257e68c595a91bfe

Comments