MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 473a8f77c574d92bdce8c6537a67e053162b745128fcfbb48a873dc57e6e5321. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	473a8f77c574d92bdce8c6537a67e053162b745128fcfbb48a873dc57e6e5321
SHA3-384 hash:	48d01785555413d4fe29ec848bf05650963633d8f6c7359bc98f99f4a47f91cc8c4ede3f0ce676d994bc002deb5f1f1e
SHA1 hash:	db6b06cb12a20e18a5886a5102b85c213b68f76c
MD5 hash:	c82c54b518ec68d86894645ea1e5a041
humanhash:	single-avocado-march-nebraska
File name:	PO.55278.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	631'296 bytes
First seen:	2020-07-29 14:26:15 UTC
Last seen:	2020-07-29 18:25:38 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:/QeNW73VOFNLcPOw/izgMs5rqplyjSuqkNPCKs7:/Qek3VALcPOw3MQAl+Soa
Threatray	31 similar samples on MalwareBazaar
TLSH	CCD4D068B6A0C920DBBE5238E2ED4914CFFCA0995433E75D3584A3AB1CE3366F50517E
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: slot0.alphasales.cf
Sending IP: 89.32.41.116
From: Challote <contact@alphasales.cf>
Subject: Order Confirmation
Attachment: PO.55278.zip (contains "PO.55278.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34971/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/402712

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/473a8f77c574d92bdce8c6537a67e053162b745128fcfbb48a873dc57e6e5321/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 13:31:55 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=i45i656fotmsxxhiyzjxuz7akmlcw5crfd6pxnekq464k7tokmqq._file

Verdict:

unknown

AgentTesla

180e4218ee6183934cbb4750a6394ab8faa8910ad2215df3334323f43e161758

AgentTesla

3260e8fc7872ff596b2f284a7731619f46311c301be2b04f0910b5f7887b8fb9

AgentTesla

38620b79b0821d5fc2a7e230a3e2c31f30773a749451c3618414d83f82e884e9

AgentTesla

718524efef50f9e043f3db594db14aa1f5e3fba213539b5b219638d089937afe

AgentTesla

7c1c73ea7abca6e91c125085275f01c1964451c9444b5f76dfab7fd7a981dff2

AgentTesla

9ec8e30fe5bac7ee3e9c096fc3702286d6c0fbee3ae1fa4cd7d5a6a411b600e5

AgentTesla

a330dfb1074f6b02e49e5835f820821b0e75f691dac46057332381d172f640ea

AgentTesla

b770e145ef0e53fe2df0d45b04230e97dd214e209bfe9860dfa56988dd7d1796

AgentTesla

d04dfa9f36d64e850ec774b59542cf7e07167144fd6646c3cb3a99740ff75ce0

AgentTesla

+ 21 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla evasion

Link:

https://tria.ge/reports/200729-7dns7s24tx/

Behaviour

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Launches sc.exe

Drops file in Windows directory

Drops file in System32 directory

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Loads dropped DLL

Blacklisted process makes network request

Executes dropped EXE

Stops running service(s)

AgentTesla

Modifies Windows Defender Real-time Protection settings

Process spawned unexpected child process

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/473a8f77c574d92bdce8c6537a67e053162b745128fcfbb48a873dc57e6e5321

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6c683d6a74f935103e1eccd835ecf1cf9fb1124a7f3627e32c8850e76e889ffc

AgentTesla

exe 473a8f77c574d92bdce8c6537a67e053162b745128fcfbb48a873dc57e6e5321

(this sample)

Dropped by

MD5 b21933e10e058e1fb774569b50a0577a

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/34971/

Dropped by

SHA256 6c683d6a74f935103e1eccd835ecf1cf9fb1124a7f3627e32c8850e76e889ffc

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample