MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ffd5275e6ecc279f3166ac814d3bce6ee674c85b866705d2879ae8e627f8fcb8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ffd5275e6ecc279f3166ac814d3bce6ee674c85b866705d2879ae8e627f8fcb8
SHA3-384 hash: 711f6bc1ff767cfa39effdb6db078aa770c6f52b7a22e70425fa6c3aefca4a9de3bf007cb62744f2b73fb6f32382adcb
SHA1 hash: 527b988d760b929bfc81ff6fac019f24e865ff36
MD5 hash: ad865c223b5e17e574042e8f479b08a0
humanhash: floor-paris-earth-mexico
File name:URGENT-PRODUCT RFQ-21553-2020 -PDF.SCR
Download: download sample
Signature AgentTesla
Create hunting rule
File size:549'376 bytes
First seen:2020-07-02 07:17:01 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:k3MGkwGTTryA3Y7lhqcAjKUXvRmjYofj/D:kTsTO7K8db
Threatray 10'684 similar samples on MalwareBazaar
TLSH 31C4AEC469B99B45E37657F68564DC7407B67D2B252AE3880CE6BCDBB470F800B80B1B
Reporter abuse_ch
Tags:AgentTesla scr


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hosted-by.24xservice.com
Sending IP: 95.211.208.25
From: Zepacki rolend <sumant.k@indiaelec.com.sg>
Subject: URGENT-PRODUCT RFQ-21553-2020
Attachment: URGENT-PRODUCT RFQ-21553-2020 -PDF.cab (contains "URGENT-PRODUCT RFQ-21553-2020 -PDF.SCR")

AgentTesla SMTP exfil server:
mail.badamli.az:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
88
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/18353/
Detection(s):
SecuriteInfo.com.Variant.Ursu.930891.6400.4017.UNOFFICIAL
Create hunting rule

Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ffd5275e6ecc279f3166ac814d3bce6ee674c85b866705d2879ae8e627f8fcb8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-02 07:18:09 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=77ksoxtozqtz6mlgvsau2o6on3thjsc3qztqluuhtluomj7y7s4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
094a94a9a5ee71992fe8e9ad8195055ee45b9f0419912f8f26096a741bc0c434
AgentTesla
0f554bb19749e97d63525c4d964041e8d6fc149cb0aec5c4560cccf09babc39c
AgentTesla
1dc42296af9ef7fa6fb9f894947b9547b964ff2926894bb2b52a09283b7a4b60
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
7013e2ac13e42bbee07bb06c5f9c2e4b625a6599a64bccf0e844ba2e995e0737
AgentTesla
71146568c5f7e1bc849a6f73bf08ba68c14e73fcaf049da083879f15a2cecc44
AgentTesla
86db9023f1d89c9c6c12160296a890b4eaeea74f23fc24219e9dd14b0e4988c4
AgentTesla
d3e66e348953a589c9852de7f1b10516f6f7cd1287f33ea12cc6ff44a96e1419
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'674 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200702-thywd2nztn/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Malware family:
AgentTesla.v2
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ffd5275e6ecc/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 44dd52b74bddab4b3d2708aa9df822c579e5c723d1ceda100bf078088af558c4

AgentTesla

Executable exe ffd5275e6ecc279f3166ac814d3bce6ee674c85b866705d2879ae8e627f8fcb8

(this sample)

  
Dropped by
MD5 1d9fd5498a4b17c199c796f25c06871c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 44dd52b74bddab4b3d2708aa9df822c579e5c723d1ceda100bf078088af558c4
Cape
Cape
https://www.capesandbox.com/analysis/18353/

Comments