MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 9 File information Yara 3 Comments

SHA256 hash: f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8
SHA3-384 hash: 1312fe9f28edb911a63a7c58a2ba3ebe9e515d8a8a839327a32e35d874a74cc90b778b4e9982718e5de623908d5c5af2
SHA1 hash: 3c9c83a029cec65cb1a45f60aca45ca2eec9215f
MD5 hash: 05fbb43cc400bde8bbe2906e2d80d3a1
humanhash: north-network-freddie-seven
File name:Encomenda a Fornecedor nº 2177.exe
Download: download sample
Signature AgentTesla
File size:652'800 bytes
First seen:2020-07-31 16:08:56 UTC
Last seen:2020-07-31 16:48:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:iHAgbCa8sGQTr79qgELUsijKfSnU7uX0/+hnDYEvlOQ3XdQkOAr/h:iHX8kT9YTUpnU6K+hD9lOQ3Xp
TLSH 8BD42A393AC3A414D93E1A7688B469D167B1B28B2F01CF1F39C61B9C5F036CB7B4615A
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

From: Rieche GmbH & Co.KG <laclavelina@laclavelina.com>
Subject: Inquiry : IP200299 / AF2004063
Attachment: Encomenda a Fornecedor nº 2177.img (contains "Encomenda a Fornecedor nº 2177.exe")

AgentTesla SMTP exfil server:
mail.gruppoei.tk:587

AgentTesla SMTP exfil email address:
gaddafi@gruppoei.tk

Intelligence


File Origin
# of uploads :
2
# of downloads :
54
Origin country :
FR FR
Mail intelligence
Geo location:
IT Italy
Volume:
Low
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa
Score:
51 / 100
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Drops PE files to the startup folder
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255474 Sample: Encomenda a Fornecedor n#U0... Startdate: 01/08/2020 Architecture: WINDOWS Score: 51 29 Yara detected AgentTesla 2->29 31 Sigma detected: Add file from suspicious location to autostart registry 2->31 33 .NET source code contains very large array initializations 2->33 35 Drops PE files to the startup folder 2->35 7 Encomenda a Fornecedor n#U00ba 2177.exe 7 2->7         started        10 jas.exe 2 2->10         started        12 pcalua.exe 1 1 2->12         started        14 pcalua.exe 1 2->14         started        process3 file4 25 C:\Users\user\AppData\Roaming\...\jas.exe, PE32 7->25 dropped 27 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->27 dropped 16 cmd.exe 1 7->16         started        18 jas.exe 3 7->18         started        process5 process6 20 reg.exe 1 1 16->20         started        23 conhost.exe 16->23         started        signatures7 37 Creates an autostart registry key pointing to binary in C:\Windows 20->37
Threat name:
Win32.Infostealer.Agensla
Status:
Malicious
First seen:
2020-07-31 16:10:09 UTC
AV detection:
18 of 30 (60.00%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Behaviour
AgentTesla Payload
Agenttesla family
Threat name:
Malicious File
Score:
1.00

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe f67337d939b7a8d33762e080856099d05b5ff3404bc285f4dd249281289f57c8

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments