MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c885dc67b25339b6b1567e5b6e541eca318a61736d9c66569ad8241b9f10d87b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c885dc67b25339b6b1567e5b6e541eca318a61736d9c66569ad8241b9f10d87b
SHA3-384 hash: 742f22fb663ccb64c941143d45d02feeff58487e2d81ffda48b25f775986bc515024f0af3b0d9f4594cf3b977657cc96
SHA1 hash: 3e680cd3d4e59fea5d0b7a6b7bf0dc6d823313e9
MD5 hash: 92af72d834b1e3f5813b6bcb51482c3b
humanhash: neptune-connecticut-item-fruit
File name:DanishCrown_FoodsAS_OrderQuote08022020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:726'016 bytes
First seen:2020-07-04 17:09:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:r/gQvHroM+/UMwCvo6JufWyymAbSEcgW9qgDHbH1dQizzaAcBWO+F1ZvB3q/68s+:sQjoMq6l3yJTsHTQ2+BWOGeViTOAX1
Threatray 10'607 similar samples on MalwareBazaar
TLSH 1DF42939BB8AA425C53C057644B55995F3B0A5473A02C70F3AC7676CAE063CF3B462EE
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: EXCHG.BOBMILLS.com
Sending IP: 72.213.92.228
From: Jorgen-Ole B. Jensen (JOBJ) <JOBJ@danishcrown.com>
Subject: Re:SV:P.O.orders/Offer(DanishCrownFoods A/S)
Attachment: DanishCrown_FoodsAS_OrderQuote08022020.xlsm

AgentTesla payload URL:
http://hasteemart.com/DanishCrown_FoodsAS_OrderQuote08022020.exe

AgentTesla SMTP exfil server:
mail.stalexinc.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c885dc67b25339b6b1567e5b6e541eca318a61736d9c66569ad8241b9f10d87b/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-04 16:38:04 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=zcc5yz5skm43nmkwpznw4va6ziyyuyltnwogmvu23asbxhyq3b5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a4ac915ba6f8c018081c160cd3bf260b2b96d9d4f9a0505398e2aff62b09318
AgentTesla
1a9ababb0d36f8e517a5054495b624979525b05a425438e295f09578a21bcd7a
AgentTesla
2865a12b350dd2ea38de20b7b2a97f968c929114e408fa901b1e5a100b7c5ef4
AgentTesla
573bf62a057b251920724ed4b890c79beef4fc52b9355038eddbcdd58957986b
AgentTesla
649dcd10ca137b9ef60a6725714d8b48781b7db63b3802281e5d739dff31d1df
AgentTesla
68a9e2865afa7d982775ae96d054e37d6931f5cd79ff45841526bba1b6e285ae
AgentTesla
7a6ca5fc154848fb338acb8c6ed9643b99d94df75a198133cf779353a84014b1
AgentTesla
8424b5a86327251f934d4e4526de3d48b942c0953a866f84de2d7bb19a5fbc04
AgentTesla
9b0ba2cb530b920af87b3a5a2f34f39aca6be54c7e25b12e4670da9f0ca646db
AgentTesla
c0c9d39c38d2a11f2fecbdef73f915ffc29f2d4c1b40817fa8dcf51233d66c12
AgentTesla
+ 10'597 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200704-jjgpfdtgan/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Modifies service
Adds Run entry to start application
Reads user/profile data of web browsers
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsm b2741e8b5c4518f8eefe156dd494c2f791ce6f4b5fda13f37f79b98442839377

AgentTesla

Executable exe c885dc67b25339b6b1567e5b6e541eca318a61736d9c66569ad8241b9f10d87b

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/407704/
  
Dropped by
MD5 3d9bf8945b2539d305eec73f1fb7dda8
  
Dropped by
SHA256 b2741e8b5c4518f8eefe156dd494c2f791ce6f4b5fda13f37f79b98442839377
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/20516/

Comments