MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 662fef8b4f1d3b467039e66b6c6c415583bca1cb49adf66dbf900d4c48f35db1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	662fef8b4f1d3b467039e66b6c6c415583bca1cb49adf66dbf900d4c48f35db1
SHA3-384 hash:	3e0bc8d8d3c6ba5ba42da781e6b76a7f887626149b03ed4d4ef00a6957b007d86683aebc02d4a11a039649fb4851b0c9
SHA1 hash:	bfd9c6630773bd6c3be73da381311db92e676b5d
MD5 hash:	90056f0f953f5973c5a29bc050fd1fce
humanhash:	alanine-spaghetti-colorado-echo
File name:	Kestrel GTCC Pvt Ltd RFQ_xls.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	540'672 bytes
First seen:	2020-07-16 08:06:27 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:d3Mx2k4zULNQsGEV/n1azWDmQ90zeuguGN1zHtA50TuoSa:dyNoEVgzD6ugF
Threatray	11'127 similar samples on MalwareBazaar
TLSH	67B48CDC3510759EC84E8D764964DC70A6203C66F7FBE20763C36E9FBA3C696CA111A2
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: gtslogistics.org
Sending IP: 72.18.130.157
From: Kestrel GTCC (Pvt.) Ltd. <abidraza@kestrel.com.pk>
Subject: KESTRE GTCC (Pvt.) Ltd. Request For Quotation
Attachment: Kestrel GTCC Pvt Ltd RFQ_xls.z (contains "Kestrel GTCC Pvt Ltd RFQ_xls.exe")

AgentTesla SMTP exfil server:
mail.tlshellfish.uk:587

AgentTesla SMTP exfil email address:
ricemagic290@gmail.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26500/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun with Startup directory

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389441

Signature

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/662fef8b4f1d3b467039e66b6c6c415583bca1cb49adf66dbf900d4c48f35db1/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-16 07:57:57 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=myx67c2pdu5um4bz4zvwy3cbkwb3zioljgw7m3n7saguyshtlwyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

278ad81624b893327658b221bc291559afc775fb5ca85e33c70901bfc45fad83

AgentTesla

2a938146aaf4b99735e88bad458fcd754b82072ee56ebe2a7baa8ee0bf9d3351

AgentTesla

5acfaa45206fa03fc84c524016caa909e43f04e1c78232060439f354cc6e5ff2

AgentTesla

6b6e59a4d06a6facb44ad4bdc483ea0de5edfcb0422a7c1c477afe3a87180279

AgentTesla

6c14f83aa09c4b45b49bc66096834c964a934f8d171733babb829aaf1f6d579e

AgentTesla

8b1417b74ac31f2e60a6a9f5ed507caf06026191354ce0e4b6bf0816fd3f512d

AgentTesla

8c254637c5c98fe6755a44e5ea6feba18d0a17c4ad53e8d791277390060c29e5

AgentTesla

ce81c54992ea435794bf323a5af3b6a58450009e4084e5f898d00f3d77872b24

AgentTesla

d44ec72ea7ed650ad5ae4102ef8b60397673335a4471f2537cf6f5933cc8bf49

AgentTesla

+ 11'117 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200716-dlecsyk632/

Behaviour

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar