MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa1d76b3b91067daa21b5b953ddd36b570e033b1f95687e5482eec26afb79ee2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	fa1d76b3b91067daa21b5b953ddd36b570e033b1f95687e5482eec26afb79ee2
SHA3-384 hash:	f35502c83e05f6463d5edac618ebd73d6dab071a1f043f6329ca5d05e0e8764e34f52c2c233f343540c351c84bade27e
SHA1 hash:	8149f99e9b900de0eb7b4682dc364eb2058c43d4
MD5 hash:	7aeefd29bc8befca48ff8eaef4406b03
humanhash:	early-berlin-three-six
File name:	Sample Order 754..PDF...exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	653'312 bytes
First seen:	2020-07-29 11:24:03 UTC
Last seen:	2020-07-29 12:22:33 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:Ikzwuh8BSfN7Bv16pDBIsu5WkwJfXFqzQoTLOmWiwMmkozj6O2qEW7ET0:IYwutfN7BvQmsu5WDNqlw6Op7
Threatray	10'785 similar samples on MalwareBazaar
TLSH	02D45A2E3A465416D93D1A32C4A85ED0BAF3A1873F51CF1E79DB174C5E02ADB3B0624B
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: vps.luckycable.co
Sending IP: 45.95.169.128
From: Lucky Cable Co. <info@luckycable.co>
Subject: R: urgente
Attachment: Sample Order 754..PDF..rar (contains "Sample Order 754..PDF...exe")

AgentTesla SMTP exfil server:
mail.bosut.mk:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/34826/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.462.5897.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/402431

Signature

.NET source code contains very large array initializations

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fa1d76b3b91067daa21b5b953ddd36b570e033b1f95687e5482eec26afb79ee2/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-29 11:25:57 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=7ioxnm5zcbt5viq3lokt3xjwwvyoam5r7flipzkif3wcnl5xt3ra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4052f5e207560e9b8f69df4cc3002207418a3b26438bbd1a4279d096d0e83074

AgentTesla

4067a43c3518dd21e937615d4d05115eeb11a15691ebb1197222221b5cdf9e9d

AgentTesla

91be4693dca30e94dbeebd75115292e913a1377d89e3754cd0323b816faec24e

AgentTesla

a4d4f50a2dff36ea8d3f92a832578a875c3f6a3ce227f1263114bf9dcbe9e335

AgentTesla

b341dab43275abb083b31e6852485e7f21802e6ab4310020a48dd8162c8c9c69

AgentTesla

c750ae55b3e3cf8c83f657da2dc436d6acd799172701d6bb70caf72f4656e747

AgentTesla

cd9532fea4c331fed21dd929be9a963c50662e545e38a63fcae56cf13199fead

AgentTesla

f106c0e340d4fb92717d3ec2fd4e1c928155b3faa06aa8f4b98e9596cb5d401f

AgentTesla

ff7d38007dac1659fdeeea13da2b1d451cf4e7b17f7d22f9f6dc3aa3477a5580

AgentTesla

+ 10'775 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

1/10

Tags:

n/a

Link:

https://tria.ge/reports/200729-2frc4x2e1j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Executes dropped EXE

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa1d76b3b91067daa21b5b953ddd36b570e033b1f95687e5482eec26afb79ee2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar