MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f49d13411efa1b43fa53a5dc39e03d62164f21620ec3c18b870710275685933c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f49d13411efa1b43fa53a5dc39e03d62164f21620ec3c18b870710275685933c
SHA3-384 hash: 37fdfe852c2cbdfa57a85beb6c6b7e0736a64588acf805a70b920e05c665c4d89e9be00e7e8cece50034bccb51a50b24
SHA1 hash: 19c3ea438b7128761eb4c886959f1348417dc39d
MD5 hash: c08f541cd573eabbeb30f70ad3281864
humanhash: may-green-nitrogen-snake
File name:RFQ EZR#341009_pdf.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'275'392 bytes
First seen:2020-07-08 06:29:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:YeCSi8jS+ZQekkV6ZGHDT8g0yLiLhKlXwsHZ/WNNxyhKlXwsHZ/WNNxIC:YESZe58GHP80iLslhtWoslhtWyC
Threatray 940 similar samples on MalwareBazaar
TLSH BD458BE0FE53D506C2290EF1C45EC20C8DA6EF5A1B06ED4A6A88F799046670CDDC67F6
Reporter abuse_ch
Tags:AgentTesla scr


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outbound.msecuredatalabs.com
Sending IP: 216.55.99.205
From: Procurement <investorservices_bil@surana.com>
Subject: RFQ EZR#341009_pdf
Attachment: RFQ EZR341009_pdf.img (contains "RFQ EZR#341009_pdf.scr")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/22832/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun with Startup directory
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f49d13411efa1b43fa53a5dc39e03d62164f21620ec3c18b870710275685933c/
Threat name:
ByteCode-MSIL.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-07-08 06:30:09 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6sorgqi67inuh6stuxodtyb5mile6ilcb3b4dc4ha4icovufsm6a._file
Verdict:
malicious
Similar samples:
09344b412ef8dbc6b398dd6e3580f482382bd24b672554039668b17a39661b50
AgentTesla
1ae52558dadc5c5b388c0a64b6e54ead3280540b5a1db2d90f20d960257004dd
AgentTesla
4b540d8dbf441994703593fb0d77bfecde0ea29daffd43b721de2bed1b9e497c
AgentTesla
4fa82bcc428147d23e5abc86fb9bfdc61829d91094659e74250ac43ab9a73ab4
AgentTesla
657c48c3e07fed5d334e86e1286ac8289c0269f4f53375e6ce4307fbd59a2f27
AgentTesla
b215d5e7cf39628497363e29d2dce0475e7180da848f7f6032d1187c78fd16bf
AgentTesla
b528251075071c38ce1e0b667af69434125bd6f8afb0de6401b83b41939b2ced
AgentTesla
d3585150a0d7118b7d4dd19bb781d4eee5887fa56bdd61a337181a9ff24f023f
AgentTesla
d4d432c94d69e9a57f473c042f53abc181aa8919981206a3714201f429c19b44
AgentTesla
f9397a0438f1e3a8d03aa326dc4910482df49dd295228d9a4dda1f55247fd6e3
AgentTesla
+ 930 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200708-fr8t8t1hfe/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

c8c4a41cb3972586facc8b9393925af5

AgentTesla

Executable exe f49d13411efa1b43fa53a5dc39e03d62164f21620ec3c18b870710275685933c

(this sample)

  
Dropped by
MD5 c8c4a41cb3972586facc8b9393925af5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/22832/

Comments