MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880
SHA3-384 hash: 9285524afd0d4ca7ee583278d9df7c1bf96e133272ae6c55ca09baa7eebb77630fe15793d26d36b25164d7303353d07d
SHA1 hash: b7dc5b8c756ee7a6981047cf50961a9478ea8e29
MD5 hash: 4b12529ef46127502423771c5b2a32a5
humanhash: maryland-carbon-hydrogen-leopard
File name:OUR REF-RFQ17641-4.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:803'328 bytes
First seen:2020-07-22 07:24:17 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 7e01edf6e44755e0328837b108f7966d (7 x AgentTesla, 5 x Loki, 3 x NanoCore)
ssdeep 12288:HQ/ena6F83r+bPrsdB0L0gazjJsJNulttShwmAlNfnA3U:6aaFabDs7btHlttqwmWfA3U
Threatray 11'801 similar samples on MalwareBazaar
TLSH 1E052922B193847FC266F5385C2663B56935F930FB1825A9EEA94B884F79DC33C241C7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.megatroncorp.community
Sending IP: 162.241.205.158
From: Ms Chooi<rger.erstad@saint-gobain.com.my>
Subject: OUR REF-RFQ17641-4
Attachment: OUR REF-RFQ17641-4.pdf.gz (contains "OUR REF-RFQ17641-4.exe")

AgentTesla SMTP exfil server:
mail.enmark.com.my:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/30868/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.Delf.FareIt.Gen.7.11988.27959.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Result
Threat name:
AgentTesla GuLoader
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/394586
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 249706 Sample: OUR REF-RFQ17641-4.exe Startdate: 23/07/2020 Architecture: WINDOWS Score: 100 23 checkip.us-east-1.prod.check-ip.aws.a2z.com 2->23 25 checkip.check-ip.aws.a2z.com 2->25 27 checkip.amazonaws.com 2->27 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 11 other signatures 2->47 9 OUR REF-RFQ17641-4.exe 2->9         started        signatures3 process4 signatures5 57 Maps a DLL or memory area into another process 9->57 12 OUR REF-RFQ17641-4.exe 1 9->12         started        process6 signatures7 59 Hides threads from debuggers 12->59 15 OUR REF-RFQ17641-4.exe 6 12->15         started        process8 dnsIp9 33 googlehosted.l.googleusercontent.com 216.58.215.225, 443, 49722 GOOGLEUS United States 15->33 35 doc-0c-44-docs.googleusercontent.com 15->35 37 Maps a DLL or memory area into another process 15->37 39 Hides threads from debuggers 15->39 19 OUR REF-RFQ17641-4.exe 16 15->19         started        signatures10 process11 dnsIp12 29 enmark.com.my 110.4.45.145, 49724, 49726, 587 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 19->29 31 mail.enmark.com.my 19->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->49 51 Tries to steal Mail credentials (via file access) 19->51 53 Tries to harvest and steal ftp login credentials 19->53 55 Tries to harvest and steal browser information (history, passwords, etc) 19->55 signatures13
Detection:
guloader
Create hunting rule
Link:
https://mwdb.cert.pl/sample/554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-22 07:26:07 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kvg2skva372zj74cbffqvdubevazoi7irgogod33rv2nv4cybcaa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
guloader
Create hunting rule
Similar samples:
0548e8d5359f46894fe4872bbba30cc48775d5fb909eba94e3534c8b018976af
AgentTesla
2bb3ec5f6e8830a1b8e87a95bcb53406688386e7dd33149bb8117318f28faba9
AgentTesla
4f8130693067523c153d09b000e48e744ca3b86388221a840349746ea6e561df
AgentTesla
57d8c785d274b5dad9441ec2211c49ef5fd5abef5ebb5275f9dd6b8e8ecfff21
AgentTesla
7c15dd07b223275e68dd8034583f12a73fc19f2d42abede56ed8d0dfdc92edc6
AgentTesla
818d44389dd6093e4feaa71b531c2ff43afd61c37f7d067b431b7bdf667754ed
AgentTesla
9d8ea8f49ab8d7cec94437483559937a79d6a4ce43273dd41e913c3d7d7f69c8
AgentTesla
a3cae0aae6bb5a0d6b4710e161925a315fd3ef4a5bfef88eea9fee94b35874d4
AgentTesla
a9abad7f4aace35de5651f437a83f47787606345d04ea63426db6a7a9b02ba5e
AgentTesla
b1667a4eee2a104e32fd9071a6de2ee27634d2e181350b329d58f54b12bd2931
AgentTesla
+ 11'791 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200722-dsp48dmpd6/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz f331620b246f74a7289728b919ae819bce397ac7605fc80e71f9956759b69a97

AgentTesla

Executable exe 554da92aa0dff594ff82094b0a8e8125419723e8899c670f7b8d74daf0580880

(this sample)

  
Dropped by
MD5 0c72f234e1d05e18c477e5c43c17f867
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f331620b246f74a7289728b919ae819bce397ac7605fc80e71f9956759b69a97
Cape
Cape
https://www.capesandbox.com/analysis/30868/

Comments