MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0a7076f1d686a769970ee8bfb6fbebd57416cef3dc4cf10bb702faddffcdbc27. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	0a7076f1d686a769970ee8bfb6fbebd57416cef3dc4cf10bb702faddffcdbc27
SHA3-384 hash:	17e8a0240c0c48a772baf59f785f0a72def25f87bc86572f59c55bd2a3445a500dd7cdcf6ff26161ad52cf96fe65f483
SHA1 hash:	651aee0d3624fb89b3e1a62600ad6a3a4e426149
MD5 hash:	f41f63e83a34e7863da8521e632c0c35
humanhash:	india-rugby-double-eight
File name:	2009154pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	810'496 bytes
First seen:	2020-08-19 14:41:21 UTC
Last seen:	2020-08-19 15:47:08 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep	12288:/NtBuTkLsGlDaQzbUF0dyLnXpfJHE5EWDvFSblT0ix4eL60Yn9U:/NtsWPlD2FjjpftEWASKBo60
Threatray	9'513 similar samples on MalwareBazaar
TLSH	CC05022176C0B6CFC42A8F3558A25D10E3F1E6275B07E74F2C8721EE1E5DA57CA62272
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: smail171.cn4e.com
Sending IP: 118.145.2.171
From: Yi <cc@798.com.cn>
Subject: Shenzhen Allwell mould Request For Quote
Attachment: Shenzhen Allwell mould RFQ.img (contains "2009154pdf.exe")

AgentTesla SMTP exfil server:
mail.jiachen.com.tw:587

AgentTesla SMTP exfil email address:
kelsely1@yandex.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/48654/

Detection(s):

SecuriteInfo.com.CIL.HeapOverride.Heur.14856.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/438564

Signature

Binary contains a suspicious time stamp

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0a7076f1d686a769970ee8bfb6fbebd57416cef3dc4cf10bb702faddffcdbc27/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-19 14:42:08 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=bjyhn4owq2twtfyo5c73n67l2v2bntxt3rgpcc5xal5n376nxqtq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3422570f5cee8a48426f11fe8ff9b46f281669fb677ca7f761c2b4538bd73f08

AgentTesla

3858c456ab026309da4ac40a5dc2c8e3d360c9f27c592ffb74875443a1e775b5

AgentTesla

527bf96dc4d090f961c250f7c6411f477acfafcea3a80e83f4f567a0d497f632

AgentTesla

5eff8146838a95a421d926b71fdf0a78a67d822978e0cfb00a5d8e4d24b4f983

AgentTesla

68b6aee99f9d4bf184c77beacb3b8a418f84a7efa606e5bd7f4fd57edb904054

AgentTesla

6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f

AgentTesla

8783057cc8930a463131d8ff23512b98eb99be7c1fec90de2be9da89e56d1c3b

AgentTesla

a023a321ec46a48bd33ea0823b3c57b43ad09a85c711d319d556c8a5d7058b73

AgentTesla

bf16393640303afe03a092d605a39a69d05158bce15d690128ef2b2103dfa5c7

AgentTesla

+ 9'503 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200819-l8zrptb722/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0a7076f1d686a769970ee8bfb6fbebd57416cef3dc4cf10bb702faddffcdbc27

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar