MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c7b49d64f3d9a7201d376c1c85085e8aed8b2911e0a7049047a6e8df62e0d70b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c7b49d64f3d9a7201d376c1c85085e8aed8b2911e0a7049047a6e8df62e0d70b
SHA3-384 hash: 4dec7b0aa83c8d1fb7f2e5f7fbb9dfa101269f87ad68922415028e5182f62afadf5291fc1d62af701122304034e04615
SHA1 hash: 295f6e2d6ba25039dc7e060f58cca62e76a3cea9
MD5 hash: dffe94f322f08bfa232ec74132bba4dc
humanhash: coffee-alaska-mississippi-mexico
File name:Our Comapny Profile.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:523'264 bytes
First seen:2020-06-11 13:51:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:5XIaUPSv6VEJD6LpQgfdZrfFTiJ5/1xHkzd6liMwlRzQNqUUKhCy1IIh2IdLE:maUg6VEt6CCdZrEJCzZMcV2Cy1IIUIV
Threatray 10'886 similar samples on MalwareBazaar
TLSH 1FB4E02936814465C43D55B3883AABC2AA77AF463A93970F70EFA30C5F0329F376551D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.rebelliongate.xyz
Sending IP: 45.95.169.223
From: info@vietstar.com.vn
Subject: Inquiry from Veitstar Veitnam
Attachment: Our Comapny Profile.CAB (contains "Our Comapny Profile.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/9023/
Detection(s):
SecuriteInfo.com.ArtemisDFFE94F322F0.448.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-06-11 13:52:27 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=y62j2zht3gtsahjxnqoikcc6rlwywkir4ctqjechu3un6yxa24fq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
145315c07011902569ae70a8d94f190fa4b0dca164a59963886e3ca923670965
AgentTesla
46d14c4bf5b7197d1c91a5705d861462c62dfd210070366122f25c275cd7e6a1
AgentTesla
54b13451934452d59e08b8d8d07d28259264149ef5dde0a3ee57a948aad8d7a0
AgentTesla
7aea54e5a7af3c0486ca05606e29416b4bae058d6ca16e06afe2d57a9da90838
AgentTesla
a4ae57283aed9c08180d74dfadb082d76e10cb6f4b01a45d1145c60f651da100
AgentTesla
c741777ff163300681c6e7268eae130d152fcc20ce11eb7df081dc146057d07a
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
ee24d93041fc2b1d9edbcbed392d8d7af1b4e490471188d6178586bcf8aa92c7
AgentTesla
f8e79509055e8e73a467ac3fc37c303ce1968417c0d4cc76df99af32cf692f02
AgentTesla
f96a186d42be8ee969291167ad5f02198788ce013945bf13e02ee13ce4454049
AgentTesla
+ 10'876 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla agilenet keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201109-2vhw6ynp96/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Obfuscated with Agile.Net obfuscator
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c3e4ef601f74d417fc6eb43f476a53e99c61f78b3890205b9d51ca9896eea229

AgentTesla

Executable exe c7b49d64f3d9a7201d376c1c85085e8aed8b2911e0a7049047a6e8df62e0d70b

(this sample)

  
Dropped by
MD5 2525beb5c8adfa8d81efd475963d5c66
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c3e4ef601f74d417fc6eb43f476a53e99c61f78b3890205b9d51ca9896eea229
Cape
Cape
https://www.capesandbox.com/analysis/9023/

Comments