MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9ef4db3fccbcfe3601f7ff80f7850a6533300f7e65a8d1edd7338052877254c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	9ef4db3fccbcfe3601f7ff80f7850a6533300f7e65a8d1edd7338052877254c4
SHA3-384 hash:	d14b14dc6ee14331e87e376078aad88827c7701527736b70f24f5235bc2959eb5de7ee91d5f630367f379064c88024ca
SHA1 hash:	295690e7951ec7bb00ef68a521ecb8b9403a52e7
MD5 hash:	682f9afc2848375728c3e07632d4dc58
humanhash:	early-mountain-march-georgia
File name:	RFQ-NNC29720M7493.iso.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	626'688 bytes
First seen:	2020-08-17 13:59:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:aQdRqOZ+qXC+/CQC/GGZEW1m8M2lN9JVIFSJQgCn7Ra79WSIDqOl:7IkqnM2VJVkgq4BWSIh
Threatray	10'703 similar samples on MalwareBazaar
TLSH	BAD41233F6A5C546C43B1A7A8D5A132507B4B6CAB551FB3E7E8413C8E8B53E28241FC6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: xv20.502.pinotvineryms.cf
Sending IP: 104.248.29.149
From: Fatin MR <acc.elrehab@502.pinotvineryms.cf>
Subject: Fw: REVISED RFQ-NNC29720M7493
Attachment: RFQ-NNC29720M7493.iso.zip (contains "RFQ-NNC29720M7493.iso.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/47075/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/433678

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9ef4db3fccbcfe3601f7ff80f7850a6533300f7e65a8d1edd7338052877254c4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-17 04:53:05 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t32nwp6mxt7dmapx76appbikmuztad36mwund3oxgoaffb3sktca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40320b0e68eab85d1bedae171c4f0bbafd5bb19059038121247229c2186a66ec

AgentTesla

467891785750079e8bb4f067c246a7c736756bf9f17c9d09cc4f384970b8fd99

AgentTesla

47e2cdade33723e82c06a0411695ff32f874ee73024f658cf8c00592dff729a8

AgentTesla

6e845201e97b3dbeeb0db649e9641e996a1b7eb7f5a2633375c85703e7407acd

AgentTesla

84b57878a21a4ae3d1ee0674635be0b4ec9608eeddbab113596621fab4df8407

AgentTesla

88734622195f09667ec17ecc61c3a1fe7dd63a930d45a22db92fe95cdf787af2

AgentTesla

921bb8527b96ab1d80d606cab7654a9754846a319f92e5ce8849ca02c4a1eb52

AgentTesla

bcfc9876088f51e804d9f3c648263e1ddf64364e880eb15822fea189ba831238

AgentTesla

e83cce8d60127437894d5b422661ed7de18974fcdf587e060abdb3158d310b9f

AgentTesla

+ 10'693 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200817-bt4bg9tds6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/9ef4db3fccbcfe3601f7ff80f7850a6533300f7e65a8d1edd7338052877254c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar