MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f0fb6cbeb67d61d2fcf55c3e9496eee625be53db7e4e0a6321403efd9f8f7c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	7f0fb6cbeb67d61d2fcf55c3e9496eee625be53db7e4e0a6321403efd9f8f7c8
SHA3-384 hash:	a955260284061797a5701fc03770493c60b15662ad38eb16e792219a5dbf6c796620b6ffb477fa0d554803c843f16dba
SHA1 hash:	0f220db3b4f624c54b0b50bb507ee7adec9d56d7
MD5 hash:	7ec820bf892a68ed5c1ff519e3719d00
humanhash:	florida-green-white-steak
File name:	KAFA_item sheet_7282020_PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	616'960 bytes
First seen:	2020-07-29 14:48:34 UTC
Last seen:	2020-07-29 15:46:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:MSADlsgbMsCyN8GxU3tkrZQlKGNuV3l7uqmG29i:XAbMsCIWkNFQuV4qmG20
Threatray	10'559 similar samples on MalwareBazaar
TLSH	44D4D059B680F91AC3BE4234E2DD5118CFFCC196912BE3656855A7FF2AC33A3D4092B1
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35016/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/402792

Signature

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7f0fb6cbeb67d61d2fcf55c3e9496eee625be53db7e4e0a6321403efd9f8f7c8/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 14:50:07 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p4h3ns7lm7lb2l6pkxb6sslo5zrfxzj5w7sobjrscqb67wpy67ea._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1382fdb29bab4fdfecdead8eb5d85d022a16d4f0286513b226745d890a3f47f4

AgentTesla

1dc4cd5cf6cb54871f9deba8d8c39cf6856a149d4c099585c5555a810e1e96dd

AgentTesla

5b21a902c6ecee945467bf474131a618a7638e1757807f268300b21662e3fb12

AgentTesla

642f3ac7ce246c87fed41bc3952ed2086187587f34a5b27270ac3c1ffca8aff3

AgentTesla

82b29aea19d46b3da79de8efa015b73dd3589353e16b73579820ab8a1a0ec077

AgentTesla

89819dbac176147b14b878250b43d1954844e6f0d4bace8b4607bad4405ca96b

AgentTesla

8a0779333aa240cc2fd83c8e32febca648d04c2e01db732fbc0e6180495b7ae9

AgentTesla

92a7c4b4694b3849c97651e3c5713eedbf3e9a5f157724d6ca9047b05ed0e3d9

AgentTesla

cb8a3020513f5f20c9bf0024baa3e328fc8d54794b9b94f7ddc0e2bac208945f

AgentTesla

+ 10'549 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200729-d58hysajna/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f0fb6cbeb67d61d2fcf55c3e9496eee625be53db7e4e0a6321403efd9f8f7c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar