MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ed847b13d7e0e4544eba48cd80e78a0dc002a8c46b3acb871113ad5be5f44916. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	ed847b13d7e0e4544eba48cd80e78a0dc002a8c46b3acb871113ad5be5f44916
SHA3-384 hash:	a1b34b0aac9dad91abb1e47133e2dcbe95965a44946a5e30f14585b206182105db9c40a24dc9947b3103d5ed3389f8ec
SHA1 hash:	62fe606dc33a8edac56bad7f5c2a4f13bcf715b6
MD5 hash:	c967589df48029a3211adc22b5f404d2
humanhash:	massachusetts-monkey-princess-robert
File name:	Quotation Requirments data sheet RFQ 081602020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	609'792 bytes
First seen:	2020-08-16 13:59:09 UTC
Last seen:	2020-08-16 15:07:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:96XYPIxL+eNDQiYu6vN1cqq0D4JNPhaLGzQLU30vOjmnNttFg1ENLAF+qa:9SYPIxL+eJAu6FnqG4JN5CVHNiZgB
Threatray	10'615 similar samples on MalwareBazaar
TLSH	A2D41223F5F4C662C4BA2EB785E4171047B276C6D512F71D7C8806A9BAB76C6C340EE2
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail2.asegi.es
Sending IP: 194.53.148.44
From: Afnas Khader (Bayouni Trading Company) <khader.afnas@bayouni.com>
Subject: RE: Urgent Quotation Request and Delivery schedule REF-AMI-08162020 COPY-4
Attachment: Bayouni Trading Company RFQ-AMI-0816020.r00 (contains "Quotation Requirments data sheet RFQ 081602020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/46474/

Detection(s):

SecuriteInfo.com.ArtemisC967589DF480.29339.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/432271

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ed847b13d7e0e4544eba48cd80e78a0dc002a8c46b3acb871113ad5be5f44916/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-16 11:47:15 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5wchwe6x4dsfitv2jdgybz4kbxaafkgenm5mxbyrcowvxzpujela._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1f5f7921e3be739b51bead01306a9cc5dc7fec1dbc01a6784497de89afb6742c

AgentTesla

69141d8c99ebc4e3298c2e7203d061fe46d3bd513e3f93498a9fe2753cd82b8a

AgentTesla

6b3c0907618cdc1bdcb07dd987ee91dbcc691b2181d947e81d8d2756d7cea195

AgentTesla

77bb6489c1fd6c87f2ba80955211d0eef9be425d4e6076bd7280c6f87f9f3300

AgentTesla

7811b5864571348651746538905398e08bc9a5a11d6cb27ff6dd7a970be77741

AgentTesla

babb19e7cb06c97942ebdda46ddfe8435b8281ab8459080e0282485e02d587d4

AgentTesla

e593655b5dafbbb4d5a991689b883d1304c8b653a714ec724d31c08ed37f13d5

AgentTesla

f16ce9d494986b9f5a386de9b3a9a691c7939db12d030daf87cbb4c5f299f315

AgentTesla

f6fb0f9050f39e6c6b3441d6a71d0e975552093fcf77f1d45ab06ef9b1fd7691

AgentTesla

+ 10'605 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200816-n7rgj361bj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ed847b13d7e0e4544eba48cd80e78a0dc002a8c46b3acb871113ad5be5f44916

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar