MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0fb739ef1d92cb9e84d30184e289bdcc2e1d851d302e69665d34ce9768c3ddbc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 0fb739ef1d92cb9e84d30184e289bdcc2e1d851d302e69665d34ce9768c3ddbc
SHA3-384 hash: 0729ab4cbcd496a2e769042e96af98141fbc779e8b6fce49d9e31b09e8686189a7a33bcdd26c1e7007efe93d6b7d15ef
SHA1 hash: 034c7ea6739bfb0a5668bca7feb3f99c478f4c54
MD5 hash: 9ccf791b69627a16345255c782d75795
humanhash: purple-six-robert-wyoming
File name:RFQ4638B.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:742'168 bytes
First seen:2020-07-20 07:33:14 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:wClq6KltUaGkL2GnK1T26Gy86VxwcyRZUuBOCWCJupfbxIpQzMmrTEAugG/DxnSr:pMfUaGWFPRZjduh12kcHPSkw
Threatray 10'632 similar samples on MalwareBazaar
TLSH 99F45C393A825825D93E0A3784E4A9D173B465473F12CF1F3AC6176C9E037CB3B86666
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: wibisana.dua.rumahweb.com
Sending IP: 103.253.212.247
From: Friedsam <order13@willamco.xyz>
Subject: Order
Attachment: RFQ4638B.zip (contains "RFQ4638B.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28555/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/390943
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 247591 Sample: RFQ4638B.exe Startdate: 20/07/2020 Architecture: WINDOWS Score: 88 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AgentTesla 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 2 other signatures 2->38 7 RFQ4638B.exe 4 2->7         started        10 pcalua.exe 1 2->10         started        12 pcalua.exe 1 1 2->12         started        process3 file4 26 C:\Users\user\AppData\Roaming\...\intel.exe, PE32 7->26 dropped 28 C:\Users\user\...\intel.exe:Zone.Identifier, ASCII 7->28 dropped 30 C:\Users\user\AppData\...\RFQ4638B.exe.log, ASCII 7->30 dropped 14 cmd.exe 1 7->14         started        16 intel.exe 7->16         started        18 intel.exe 1 10->18         started        process5 signatures6 21 reg.exe 1 1 14->21         started        24 conhost.exe 14->24         started        40 Multi AV Scanner detection for dropped file 18->40 42 Machine Learning detection for dropped file 18->42 process7 signatures8 44 Creates an autostart registry key pointing to binary in C:\Windows 21->44
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/0fb739ef1d92cb9e84d30184e289bdcc2e1d851d302e69665d34ce9768c3ddbc/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 07:35:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=b63tt3y5slfz5bgtagcofcn5zqxb3bi5gaxgszs5gthjo2gd3w6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2ea83d557d9b9fcfa771dda7bb75fadde4e7a3d7f4f66f3fef23ecf758f084c0
AgentTesla
3bf2b67fb65e52b1ae2091d5ae6d569079c6fab8d5d99f8ebe0b179158efdacd
AgentTesla
5ab5e18b5ffe74e4c3ccf07f2e19f2daf006338022e64806b284eb8e0f0e1c15
AgentTesla
7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510
AgentTesla
89f49fc426262096d0c4c40eace8339a1c09de5e3c6e1d7e0b570ba08713d9db
AgentTesla
973de14a37f6408161ec0ec249a50527d3cdf4bf7482a67134ac7b0c9e3b7a25
AgentTesla
c01176f8ccb757f80cb32c809cfe0ceec9e100b199d4beec5f92adb824517869
AgentTesla
c4412b2563fa12f9cfb74a6c5f6cd63fa17afd15ef374cf846f3b808e9a01fb5
AgentTesla
cf8d42cb55e45c4d75fae6e07b6802ae059fff427510b16e754d36e522b28a80
AgentTesla
efe9be78a8da440c576162c8bd5498972ec6134b4276c05acb6a3b060a4013bb
AgentTesla
+ 10'622 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200720-lrhpd28xps/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Executes dropped EXE
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/0fb739ef1d92cb9e84d30184e289bdcc2e1d851d302e69665d34ce9768c3ddbc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8fa805e9251d95bada91a1048e9a379e120069d27a3973534f14bc76b0a5a17f

AgentTesla

Executable exe 0fb739ef1d92cb9e84d30184e289bdcc2e1d851d302e69665d34ce9768c3ddbc

(this sample)

  
Dropped by
MD5 62c5bf321b07cb9bd8a02d097f2b0f79
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/28555/
  
Dropped by
SHA256 8fa805e9251d95bada91a1048e9a379e120069d27a3973534f14bc76b0a5a17f

Comments