MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 84b57878a21a4ae3d1ee0674635be0b4ec9608eeddbab113596621fab4df8407. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	84b57878a21a4ae3d1ee0674635be0b4ec9608eeddbab113596621fab4df8407
SHA3-384 hash:	62ffe585aa2ea58ace8c5d380b6a43b91929e8690fac64aa15053267f400d899c1efb963981f8aca2d5ef4565a76ae86
SHA1 hash:	829454752c9ed36c5a4353a25f516a3644cda4f3
MD5 hash:	fd1be3c496e2e46de4248888576ddba1
humanhash:	cardinal-carolina-happy-aspen
File name:	REVISED RFQ 139995-JEP 139996-NBM 139998-QPT.pdf____.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	746'496 bytes
First seen:	2020-07-29 13:49:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:jakzwuh8BSfN7Bv16pDBALFG4XOoGiRrfe4xo6uWZPnDwuk/i+Ga4x44XqA:2YwutfN7BvQOcUjJoULwbqTa4W4XqA
Threatray	10'786 similar samples on MalwareBazaar
TLSH	68F43869F4816541E53D1A3184B86D807AB2B74A2E0DC60F38FB374C5E356DB3B16CAE
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/34929/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/402628

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/84b57878a21a4ae3d1ee0674635be0b4ec9608eeddbab113596621fab4df8407/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-29 09:57:15 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

32 of 48 (66.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qs2xq6fcdjfohupoaz2ggw7awtwjmcho3w5lce2zmyq7vng7qqdq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40320b0e68eab85d1bedae171c4f0bbafd5bb19059038121247229c2186a66ec

AgentTesla

467891785750079e8bb4f067c246a7c736756bf9f17c9d09cc4f384970b8fd99

AgentTesla

6e845201e97b3dbeeb0db649e9641e996a1b7eb7f5a2633375c85703e7407acd

AgentTesla

7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510

AgentTesla

88734622195f09667ec17ecc61c3a1fe7dd63a930d45a22db92fe95cdf787af2

AgentTesla

921bb8527b96ab1d80d606cab7654a9754846a319f92e5ce8849ca02c4a1eb52

AgentTesla

9a99082664fba770485b23172f61bdd349863e9803d7a01170e1839026c6a0fb

AgentTesla

9ef4db3fccbcfe3601f7ff80f7850a6533300f7e65a8d1edd7338052877254c4

AgentTesla

bcfc9876088f51e804d9f3c648263e1ddf64364e880eb15822fea189ba831238

AgentTesla

+ 10'776 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200729-r86nwe886s/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Loads dropped DLL

Reads user/profile data of local email clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/84b57878a21a4ae3d1ee0674635be0b4ec9608eeddbab113596621fab4df8407

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/34929/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample