MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb72ce99cc2d45f842ac5cd6e4e3aeb1b9e66e4fea75b4edfd57ce9a8d3223ca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: fb72ce99cc2d45f842ac5cd6e4e3aeb1b9e66e4fea75b4edfd57ce9a8d3223ca
SHA3-384 hash: 38317ce06a3dbd29555426e5e79d8364e94f9fa1ade7f027e0fb637d9f2ba1454d85d15d23927b1545d6e190f80cef8b
SHA1 hash: 8bf88e4e27ed28b6ea14066ec9b53582ee29476a
MD5 hash: 85a206115a80d17c60affe071a0358a3
humanhash: mango-london-red-oscar
File name:Factura pendiente.exe
Download: download sample
Signature AgentTesla
File size:524'288 bytes
First seen:2020-06-24 13:24:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:b+gNMfwt2H7eBgRya10W2Qr49nsCVwW82ExDPxfBOlBO:bBNGH7N10jQ89nsCTExDZfBOa
TLSH 91B4021B7BACFE17CA7905F9D8961B4417B929AB6141F7D82CC074B918C3BE80A247C7
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: mout.kundenserver.de
Sending IP: 217.72.192.75
From: Pedidos Sarabia Tolmos <pedidos@sarabiatolmos.es>
Reply-To: Pedidos Sarabia Tolmos <pedidos@sarabiatolmos.es>
Subject: Re: facturas pendientes
Attachment: Factura pendiente.rar (contains "Factura pendiente.exe")

AgentTesla SMTP exfil server:
mail.nkinstruments.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
45
Origin country :
US US
Mail intelligence
Geo location:
Global
Volume:
Low
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Enabling autorun with Startup directory
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-06-24 13:26:07 UTC
AV detection:
26 of 31 (83.87%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe fb72ce99cc2d45f842ac5cd6e4e3aeb1b9e66e4fea75b4edfd57ce9a8d3223ca

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments