MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb
SHA3-384 hash: c3961ee85a401586212b92b0498464351b8db9fe5bdea4aa51bd34c5ecd8f757932840b5b6de75a34e57925015445b5a
SHA1 hash: 9c3e394f79b8af8b8918e57b01b9ca871b7c1486
MD5 hash: 1279492a77702c45b0163a9e49d82cd8
humanhash: mango-wyoming-item-network
File name:SI,, packing list_images_.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:394'752 bytes
First seen:2020-07-02 17:43:41 UTC
Last seen:2020-07-02 18:53:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:GRmqdw0FRzLPTHrvTzzn//Ed2HzIhuKkC1g0V5XM2H:qRrjXPTHrvTzzn//FHog0V
Threatray 10'654 similar samples on MalwareBazaar
TLSH 9D84C0459A61CE0DCADA9279E8D6E221C3B4C1936C03F75B0EBF9C4E15C768D2C81DAD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.example.com
Sending IP: 103.147.184.169
From: Ahlia Chemicals Company - Sabhan <admin@beoxies.ml>
Subject: 回覆: Rubberwood Panel Board Enquiry
Attachment: Rubber_Panel_order_images.rar (contains "SI,, packing list_images_.exe")

AgentTesla SMTP exfil server:
smtp.office365.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18530/
Detection(s):
SecuriteInfo.com.Trojan.GenericKDZ.68324.16845.12774.UNOFFICIAL
Create hunting rule

Detection:
n/a
Link:
https://mwdb.cert.pl/sample/efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 17:45:07 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=57hewqyjtb7ul26ck3znjcken266ukzkgecw6zkfttczlcno5tnq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1ce738086443ade648366b956e276eb47b5aa75985784552a8db057188e6f7e1
AgentTesla
273354be097b6ed6022eac720e2a6ff987242d38ad320630d78f6b5f3969a706
AgentTesla
2a725a3a79209716834b3b42df941a9356d3d95cf84dafaadcbb4ecc6e657551
AgentTesla
43af6ba4b7f666fe6a4ea1ef96142ed84a709d1e41bbd88c531882d88401899d
AgentTesla
521682b3d5f74a75604bdbacc12c5aab77eac5505b39825f10c0e0766c6c321e
AgentTesla
678b9fd48c80a3dd4db9ecee8a22ef3d4ef4ce32a2f5778c5ee6d6f15758c8b1
AgentTesla
87c88de3a875c7997a34e00e8c7c97577f046332811dcef6cba7c33b37c42396
AgentTesla
9ffb69f905a00be71fc0493c4148d4462c42f0eb4f3c6b216ce1c3e8241f3cc0
AgentTesla
aff3a5fa9bbbeaa48631511bfcf0a0cd9b4873cb2087acdc6e7a05fe3bfaaa2a
AgentTesla
e632088f3b6717d23c6053d3b3e917a71684475d2a23876b34c3fca2dc7424d1
AgentTesla
+ 10'644 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200702-kfcg2dymen/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run entry to start application
Adds Run entry to start application
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 721554994aa2236a3268cafd73b5d2e98096426cf623fabcbbe0e16d0046a6d0

AgentTesla

Executable exe efce4b4309987f45ebc256f2d489446ebdea2b2a31056f65459cc59589aeecdb

(this sample)

  
Dropped by
MD5 a1ee98f5824442df3cfe03d6597ecc6f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 721554994aa2236a3268cafd73b5d2e98096426cf623fabcbbe0e16d0046a6d0
Cape
Cape
https://www.capesandbox.com/analysis/18530/

Comments