MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash: 167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918
SHA3-384 hash: de43918d703d998e3b93015cf3e1e7e7f828a1606c2f17cc2439ca54cb6a39029ffacc8ebd8a231bb2d58673039c7c3d
SHA1 hash: 630b016a94f7bee220565d3b9a55a2ae8ef73c5a
MD5 hash: 71028a6ec414b1642243aa4981a3365f
humanhash: october-spaghetti-avocado-bacon
File name:CMR-7146846_PDF.pif
Download: download sample
Signature AgentTesla
File size:317'488 bytes
First seen:2021-09-28 11:18:33 UTC
Last seen:2021-09-30 22:01:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash b76363e9cb88bf9390860da8e50999d2 (241 x Formbook, 141 x AgentTesla, 104 x SnakeKeylogger)
ssdeep 6144:F8LxBsG3/D9BNOnAvOrA4WXnLHz6g2USzAmD5D96r:/G37sAv14WXnL21zAq96r
Threatray 10'373 similar samples on MalwareBazaar
TLSH T1716423229DD1D9B7D9A285302933E76FE3BE90640011E2874F6E6D137DB016B899E1F3
File icon (PE):PE icon
dhash icon b2a89c96a2cada72 (128 x Formbook, 59 x Loki, 47 x DiamondFox)
Reporter @malwarelabnet
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
3
# of downloads :
103
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
CMR-7146846_PDF.pif
Verdict:
Malicious activity
Analysis date:
2021-09-28 11:24:01 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a file
Unauthorized injection to a recently created process
Creating a window
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Nsisx
Status:
Malicious
First seen:
2021-09-28 11:10:21 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
167d1af8c8c4a185c34d0e65bab348748fb524f3e95c6136324f1e2d7e310918
MD5 hash:
71028a6ec414b1642243aa4981a3365f
SHA1 hash:
630b016a94f7bee220565d3b9a55a2ae8ef73c5a
Malware family:
Agent Tesla v3
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_AgentTesla_20200929
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments