MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 03d66be7ade72a6e072f8e66ee4448ab298fea0ada2419f071cedc688d40e417. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	03d66be7ade72a6e072f8e66ee4448ab298fea0ada2419f071cedc688d40e417
SHA3-384 hash:	909bc4f5b91c417a159bcfd161a4cf551aaeb167d590298d4392c560b6fdc40d01979d7fd35300849accc0d893f8e648
SHA1 hash:	a178fce2728d894917a758323ce134d38b5163a7
MD5 hash:	97cf6d37db102cc28670d8ad004ebff8
humanhash:	grey-michigan-fruit-double
File name:	RFQ.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	410'112 bytes
First seen:	2020-07-13 13:38:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:cSHAWllHrlayLQgmQ/ywEy5g95pYvwKjOyK1NIwjBhVfxy/e8QuUkkT:MWljBmQ/XngC20wjHrkUkk
Threatray	10'581 similar samples on MalwareBazaar
TLSH	BC940266635C5764CCD98E3478FC7EC53B222306A322D68D482F56BDC30B33962667DA
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/25370/

Detection(s):

SecuriteInfo.com.Variant.Razy.713563.5130.18174.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/03d66be7ade72a6e072f8e66ee4448ab298fea0ada2419f071cedc688d40e417/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2020-07-13 13:37:48 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=aplgxz5n44vg4bzprzto4rcivmuy72qk3isbt4drz3ogrdka4qlq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

b8816e0b814bc0528b84fe7e0e89cf5e8168b64a8028d8610510a59f3f7c2268

AgentTesla

bb8e4fd77036e0c835a7362aa8288dc6d24a935917455d8c6dbdf28361ff725d

AgentTesla

ca17352e0db0473648e2a8b1ae67af88d9edd3ce4e4e0c03c325383e87090d21

AgentTesla

e262818c0921d407d263d64f8eafd7e60baeb2127eec70800a1f649f3bf002e5

AgentTesla

e33c752fbfeeead0e2dee1a5bcbdfa68d044c258b046bc93f061d477ae5108b7

AgentTesla

eb1f506f0927ee91a647c5522fff201da5e4ab2e4e4ddd7e89d77baec78a2b4d

AgentTesla

f46cfcc5f7d2705b8c86cd20668df3e5fa6d6468de5e78af1ec04132b2e1fb78

AgentTesla

f8e184f76b586ee06075217550923bca1450cde335435718fb21a82e27729163

AgentTesla

ffd474ba42b484a0c7eb8688e37334d55e65c49dcb88dcf3bc542276cd7d5348

AgentTesla

+ 10'571 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200713-advspq1e8j/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Program crash

Suspicious use of SetThreadContext

Maps connected drives based on registry

Reads user/profile data of local email clients

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/25370/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample