MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0a69136aed3f43352db370b595ab42f1de09e7de6cfddfee3248cf4e6b310709. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 9
| SHA256 hash: | 0a69136aed3f43352db370b595ab42f1de09e7de6cfddfee3248cf4e6b310709 |
|---|---|
| SHA3-384 hash: | 1f81ef1c3d28ece4b1315c037744d09db2eaa1bfbefef24f1b663aacfae703142068527370398a62013fcc2ebf331e5c |
| SHA1 hash: | 545546a53aa7d101a41e0c1be3f5e7059df6ed15 |
| MD5 hash: | ca6ad7a9ebeb09cce5a3b58cf57ec137 |
| humanhash: | sad-summer-foxtrot-pip |
| File name: | RFQ_DN400CCC331G,PDF.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 3'033'088 bytes |
| First seen: | 2020-08-13 09:36:32 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'481 x Formbook, 12'209 x SnakeKeylogger) |
| ssdeep | 49152:WP1ecIpdmKrl9wddiWJ970phP8mOUAK9:WP1ecIpdmKrl9sdiWJ97ohP8mLAK |
| TLSH | 10E58D5AB843718BF55640F01ED395E4B1D6312912B14638EEAB187EE80DC7B7CDE8B2 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe |
abuse_ch
Malspam distributing unidentified malware:HELO: impusa.com
Sending IP: 31.168.40.90
From: Carriso <sales@impusa.com>
Subject: RFQ_DN400_600CC3312.PDF
Attachment: RFQ_DN400_600CC3312.PDF.z (contains "RFQ_DN400CCC331G,PDF.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:
Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Detection:
agenttesla
Threat name:
Win32.Trojan.Ymacco
Status:
Malicious
First seen:
2020-08-13 09:38:08 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
unknown
Result
Malware family:
agenttesla
Score:
10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.