MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fade4888c4d9578792698d19cd87ee1bff8bdf2682313175c23313cfbd4dd681. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fade4888c4d9578792698d19cd87ee1bff8bdf2682313175c23313cfbd4dd681
SHA3-384 hash: 268f24a6d1df44a65d760a86a6ef09e835061176aa329a70c27064884e328347cf567593c5a57dd3c6428cc01550366e
SHA1 hash: 6f3b2f65514e5928567df21ec5d091e90b51edf8
MD5 hash: 3311c853d8157c3599f7ff52a4037bc4
humanhash: cold-spaghetti-lion-mike
File name:Urgent Bid for Quotation.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:738'816 bytes
First seen:2020-07-21 07:41:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:gHvVxMEkMa24ISziyFV6cSxqRsrvBQhNgtAR/i+h:4v/yIMP6cSQ0JYR
Threatray 10'623 similar samples on MalwareBazaar
TLSH 5DF44A40F3F982CDDB79E6BEF423412546607E465BE6D30E2746F79D2A213618B03E62
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail0.711.gillonuminno.ml
Sending IP: 142.93.134.62
From: ACCOUNTS <tiramaman@analjenafar.com>
Subject: Re:Order FTH2004-005
Attachment: ORDER FTH2004-005.rar (contains "Urgent Bid for Quotation.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
75
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29834/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392796
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248671 Sample: Urgent Bid for Quotation.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 Yara detected AgentTesla 2->55 57 3 other signatures 2->57 6 Urgent Bid for Quotation.exe 5 2->6         started        10 WNRUXJ.exe 3 2->10         started        12 WNRUXJ.exe 4 2->12         started        process3 file4 25 C:\Users\...\Urgent Bid for Quotation.exe.log, ASCII 6->25 dropped 59 Injects a PE file into a foreign processes 6->59 14 Urgent Bid for Quotation.exe 2 13 6->14         started        19 WNRUXJ.exe 10 10->19         started        21 WNRUXJ.exe 10->21         started        61 Multi AV Scanner detection for dropped file 12->61 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->65 23 WNRUXJ.exe 2 12->23         started        signatures5 process6 dnsIp7 31 smtp.yandex.ru 77.88.21.158, 49738, 49739, 49740 YANDEXRU Russian Federation 14->31 33 smtp.yandex.com 14->33 27 C:\Users\user\AppData\Roaming\...\WNRUXJ.exe, PE32 14->27 dropped 29 C:\Users\user\...\WNRUXJ.exe:Zone.Identifier, ASCII 14->29 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Moves itself to temp directory 14->39 41 Tries to steal Mail credentials (via file access) 14->41 43 Installs a global keyboard hook 14->43 35 smtp.yandex.com 19->35 45 Tries to harvest and steal ftp login credentials 19->45 47 Tries to harvest and steal browser information (history, passwords, etc) 19->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->49 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fade4888c4d9578792698d19cd87ee1bff8bdf2682313175c23313cfbd4dd681/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:43:09 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7lpercge3flypetjrum43b7odp7yxxzgqiytc5ocgmj47pkn22aq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20486793ae98833178cb24180d58511ac0ec100a3c341b7a956b95a13cdd1e72
AgentTesla
2603522c96e103c7707dc88be9b18bb603fc8d57a7f8635a9c5c6365cdff955d
AgentTesla
8707af08ec5c7b76ea40346f7b62861080f534fc2438a30cda18260563a7c16e
AgentTesla
9d604c08ee1d3c2f747a0813ba0b38fb34477eca74a73176939f5a37a1ba5bc5
AgentTesla
9f56641fa34365d546b70d51aa82899b863a4781a3e51f6e78c62fa198472a79
AgentTesla
acb0ce9651be7099082733999b4f29df902a494d9679c4a6352cac88ec5d0887
AgentTesla
c82a5ce771ee4c6afb7406184afba40c9aa6281c54cb9d6eeef5861d476cb3e9
AgentTesla
cda67b60abb97c0f20a8a45c5a86b02491695471576d899dadf67cb7f8cdd765
AgentTesla
f106c0e340d4fb92717d3ec2fd4e1c928155b3faa06aa8f4b98e9596cb5d401f
AgentTesla
ff5d13d49200bed78996c65f2eecfae2638c9d8d0cace76ba2faf3403b518af9
AgentTesla
+ 10'613 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200721-29taneprde/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fade4888c4d9578792698d19cd87ee1bff8bdf2682313175c23313cfbd4dd681

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1eb864af99ab0c153ab7224bd5bf0d6dfc42ee8e45fc6fcdc3c4ec55f10c6be8

AgentTesla

Executable exe fade4888c4d9578792698d19cd87ee1bff8bdf2682313175c23313cfbd4dd681

(this sample)

  
Dropped by
MD5 5152a90f66e491ff179394c274d97b62
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29834/
  
Dropped by
SHA256 1eb864af99ab0c153ab7224bd5bf0d6dfc42ee8e45fc6fcdc3c4ec55f10c6be8

Comments