MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f70e37d9c9380b978df1ccb8a67f644bb7d90174c420ff4b90beb61edb9e5f99. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 4


Intelligence 4 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f70e37d9c9380b978df1ccb8a67f644bb7d90174c420ff4b90beb61edb9e5f99
SHA3-384 hash: 10e153bf22fec9050bdce2efc4147f1e3ca6dda402570b03753894c0f4c18b1e2d191b52f0a50eaf279755fc4208ff0a
SHA1 hash: e9ad773124877991b44c1a3a4bd7c3969ea3d0de
MD5 hash: 313caf287b9a6b2d70c0e754345aca62
humanhash: lion-zebra-football-angel
File name:Order and Invoice.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:406'528 bytes
First seen:2020-05-27 08:06:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:5EdlBFiNifJyBLFw3DZdfRuqCbDAv5GNF:WdPkeA5w3T8q
Threatray 139 similar samples on MalwareBazaar
TLSH 6A84BF9C361472EFC85BD4B699A42C64ABA120BB130BD347995311EEAE0CAC7DF145F3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: nasegypt.com
Sending IP: 37.49.230.36
From: Tonny Hai <ashraf@nasegypt.com>
Reply-To: Email ADMIN <noreply@domain-admin.com>
Subject: Re: Order
Attachment: Order and Invoice.rar (contains "Order and Invoice.exe")

AgentTesla SMTP exfil server:
mail.privateemail.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.Artemis313CAF287B9A.28308.UNOFFICIAL
Create hunting rule

Gathering data
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-05-27 09:05:00 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
23 of 31 (74.19%)
Threat level:
  2/5
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0b0843fec59e2e7c90b04d88f9d90f7e6a3c8e7511a601d20ba588a52380781b
AgentTesla
177b73c79389109f104de7e18a98b666fac019dae540695eff90bc1093f3db3d
AgentTesla
3853c83c0df51ab8dc2d06d29efc8ca581044dbbcfe4c7c4d05fcc0ab62e22a8
AgentTesla
538a207974969d50055870c016eb819c2a71a1388db863bf025ea5bc2144b00b
AgentTesla
717cc1c1cd1788a45027d549ae018a57f72e8f5f7586be633055c2400440b489
AgentTesla
939fdc62cfcefb4deae6e71b84abe160c14fc6b41c787064479f607b1d5bacca
AgentTesla
a66accde52c8f24dbd3d705a4babfee4015f547dc6f7a608cb6d37dd2930fccd
AgentTesla
c51d3c8be3936b476ac729e5ddc15eb4dcd5dea18dbcf8200f0767b33ab0b076
AgentTesla
ee6195ec1370d529ba036d6ce5f7ca391822519455a57817e1576ac8a45b8b8d
AgentTesla
f86be0fe01d3a3fae24c8bf92bb289ec52dd7f6a9461b9ce95f062d162f124c0
AgentTesla
+ 129 additional samples on MalwareBazaar
Result
Malware family:
m00nd3v_logger
Create hunting rule
Score:
  10/10
Tags:
family:m00nd3v_logger coreentity rezer0 spyware stealer
Link:
https://tria.ge/reports/201109-k7zskpflr2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
M00nD3v Logger Payload
rezer0
CoreEntity .NET Packer
M00nd3v_Logger
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:APT_NK_BabyShark_KimJoingRAT_Apr19_1
Create hunting rule
Author:Florian Roth
Description:Detects BabyShark KimJongRAT
Reference:https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 9ca1d2b514e14e28a07dc578de2077c610ee7d022420380e960a2ee03e38bfd5

AgentTesla

Executable exe f70e37d9c9380b978df1ccb8a67f644bb7d90174c420ff4b90beb61edb9e5f99

(this sample)

  
Dropped by
MD5 6fa7fc511174dcc8b6e396470f6dac41
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9ca1d2b514e14e28a07dc578de2077c610ee7d022420380e960a2ee03e38bfd5

Comments