MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7f3d3f1008ceebb52921ebf9519ae7f84f9015ee4f7dcda28cedd5271737967f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	7f3d3f1008ceebb52921ebf9519ae7f84f9015ee4f7dcda28cedd5271737967f
SHA3-384 hash:	3cfb5f60556737108be21c0c8869c7922ee0e0fb36dd6835ae2454cd68cd1007068f7fa4dc18b3d716c93eb5f5e9c7ca
SHA1 hash:	2834d4fcdca82a4835adf006810705a386ec8915
MD5 hash:	0253fc675a74d862a070e969154d0cd6
humanhash:	william-solar-lima-harry
File name:	RFQ REF R2100131410.pdf (2).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	432'128 bytes
First seen:	2020-08-05 08:51:07 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:rY4brJATlgbPdBd34Ezwju8PZCWJIDqAfFf:rYSOS7WjLR
Threatray	10'749 similar samples on MalwareBazaar
TLSH	4D94F11C3690565AF2BA4E3F9C314193EE22F91FDD62D6876AB2216841BE25CFC30F51
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: trelleborg.com
Sending IP: 37.48.85.232
From: Wang Tan<info@trelleborg.com>
Subject: RFQ REF : R2100131410
Attachment: RFQ REF R2100131410.pdf 2.zip (contains "RFQ REF R2100131410.pdf (2).exe")

AgentTesla SMTP exfil server:

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/39270/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/410687

Signature

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7f3d3f1008ceebb52921ebf9519ae7f84f9015ee4f7dcda28cedd5271737967f/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-05 02:37:40 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=p46t6eaiz3v3kkjb5p4vdgxh7bhzafpoj5643ium5xksofzxsz7q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2ee560a991356dbcf4f398a7db1e8258c0fac8fbc0f938ad03f6a6d00810aacb

AgentTesla

310cda4734ff6074a97bb0e7cd6c5ebe6aaaec58408650752b73dbae53a5e396

AgentTesla

634fe7f055e811f93c607b8e6f3333c2a5708236637c1accb3965284d82651bb

AgentTesla

6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099

AgentTesla

a1ae3cae3a7b93cf6120c02c769ba0779bc367f892e0aebc5809b7ec936e1c0f

AgentTesla

a540201f44f378a2bcade1e6190cd5784ae7cc0bc0f1138436afeb7b10ef7050

AgentTesla

b3770ed7e40082d700739a98f8be9a3a338be55580942c0baddc5f03e03e5a63

AgentTesla

b82d04c79bfd870dd7024db85a5c3c60827776af6bfd6b73306ceebf72150ba4

AgentTesla

e23a268f1e3c63c4b2460a42e219a7237744ddaad6d9bf383977c85d9921843d

AgentTesla

+ 10'739 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200805-xvprdydvxa/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7f3d3f1008ceebb52921ebf9519ae7f84f9015ee4f7dcda28cedd5271737967f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar