MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d872c84aaa87d90521400f1d6052524e0d2256b3d865aeaad679beea3919a49e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 2 File information 4 Yara 4 Comments

SHA256 hash: d872c84aaa87d90521400f1d6052524e0d2256b3d865aeaad679beea3919a49e
SHA3-384 hash: d91eb6299bce31421545b480b04c91769851135171d594c8455561e5aa042526e5a0170e84bcea170455b00a28d60cad
SHA1 hash: 055e0e03018b75b39a551b754f4eaad8067e6481
MD5 hash: 6f5505f192e637d38811991f4f62b81a
humanhash: tango-high-kitten-triple
File name:RFQ_C73639811.PDF.exe
Download: download sample
Signature AgentTesla
File size:446'464 bytes
First seen:2020-06-30 13:25:44 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:jIyl9ZwK6qv4QHfd+g/VRkP0uh8xJjamQvjlwQeWOmV+BMVps6kYxto+QznqLZ0:jbl9X4QFRkJh8xJjatvPpbW6kYxtE60
TLSH AE941236F3B99719E5BA87F108B159160FF6B80B6610D21E9ED8A1DE0833F449316F63
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: server.sattisleather.community
Sending IP: 162.241.205.0
From: John <info@sattisleather.community>
Subject: RE: Quotation Enquiry
Attachment: RFQ_C73639811.PDF.rar (contains "RFQ_C73639811.PDF.exe")

AgentTesla SMTP exfil server:
smtp.cdldxy-cn.com:587

Intelligence


Mail intelligence
Trap location Impact
Global Low
# of uploads 1
# of downloads 32
Origin country US US
CAPE Sandbox Detection:n/a
Link: https://www.capesandbox.com/analysis/17218/
ClamAV SecuriteInfo.com.Generic-EXE.UNOFFICIAL
CERT.PL MWDB Detection:agenttesla
Link: https://mwdb.cert.pl/sample/d872c84aaa87d90521400f1d6052524e0d2256b3d865aeaad679beea3919a49e/
ReversingLabs :Status:Malicious
Threat name:ByteCode-MSIL.Trojan.Agensla
First seen:2020-06-30 13:27:05 UTC
AV detection:28 of 48 (58.33%)
Threat level:   2/5
Spamhaus Hash Blocklist :Malicious file
Hatching Triage Score:   10/10
Malware Family:agenttesla
Link: https://tria.ge/reports/200630-1chenyswgj/
Tags:persistence spyware keylogger trojan stealer family:agenttesla
VirusTotal:Virustotal results 9.86%

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe d872c84aaa87d90521400f1d6052524e0d2256b3d865aeaad679beea3919a49e

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments