MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd
SHA3-384 hash:	fc6d4b7d85d956d49d9ab64e585e98abab782f53a927f1020a83351570c087d68de4a6cacc06258d794010b0185da6fe
SHA1 hash:	2b9e4c4d82fcb91ec317ba1ea94a43c99c1a88f3
MD5 hash:	18bc83da8bfabb01740276062d6e014e
humanhash:	texas-mike-eleven-whiskey
File name:	RFQ- 19A20060.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	487'936 bytes
First seen:	2022-11-23 18:20:53 UTC
Last seen:	2022-11-25 13:17:38 UTC
File type:	exe
MIME type:	application/x-dosexec
ssdeep	12288:/foXfDjiFs62c4Y40p9LqwFpFztF2+RCEUKMJ39Lavxrp:YXfDjiFKcFuwFpDQ+8HKMJpU
Threatray	645 similar samples on MalwareBazaar
TLSH	T17CA423F24225EF47DA9A53B0C43D950EAFE1461190FABB86C04C3ACDEA5B97150FA3D1
TrID	44.4% (.EXE) Win64 Executable (generic) (10523/12/4) 21.3% (.EXE) Win16 NE executable (generic) (5038/12/1) 8.7% (.ICL) Windows Icons Library (generic) (2059/9) 8.5% (.EXE) OS/2 Executable (generic) (2029/13) 8.4% (.EXE) Generic Win/DOS Executable (2002/3)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

240

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ- 19A20060.exe

Verdict:

No threats detected

Analysis date:

2022-11-23 18:23:45 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/d8770f94-d447-44f7-9e1c-08b5240ff454

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/337803/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.1683.25920.17843.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a custom TCP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Creating a window

Stealing user critical data

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

packed

Link:

https://www.filescan.io/uploads/637e648e559d07a06f470fd2/reports/bacc584b-a4ca-45d0-a914-546099812a48/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/d251a06d-5b61-4a16-8cf9-46762b6fff30

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1119993

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

.NET source code references suspicious native API functions

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-11-23 09:15:06 UTC

File Type:

PE+ (.Net Exe)

Extracted files:

AV detection:

21 of 26 (80.77%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=c75ngjpjof7cbsjq62mpbd3rcmqkkbkwbyrzwxpj35t4misyuo6q._file

Verdict:

malicious

AgentTesla

55cf18f4491e2db87c5612b2501dbbd3acd9c6460b1863ab56f5d9209cbecbdc

AgentTesla

67600d161c7a30d3a06b1f49332e26a4e9010536dca825ba294802934c4358e5

AgentTesla

803ce3a81dac97819000978aa8798f1d2464e12785d1625aa5ee01d0589ec8a2

AgentTesla

b5b8524f2b24683dbeb07c9af2ddc8175a7a7b8925fd2db5f9776be568c2135e

AgentTesla

c4a2d1a93c9da2d51ae8d0ef88b1dbf6fecd931714d9a09221c4f928f6861ce3

AgentTesla

d1ca3f8fb1acd28ee6ce1227880e74fca8aa908ca373931a5180f3cb76bb8fe1

AgentTesla

def9b4590e2daf9efa8ce75908a776997c3e434dda942b58c8ece1994a4ec8e2

AgentTesla

f194cc1d2476f819084e0612933173c0a8302453d32f77331e39a5d96ef5e46f

AgentTesla

+ 635 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/221123-wza4rsgc7z/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

AgentTesla

Unpacked files

SH256 hash:

17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd

MD5 hash:

18bc83da8bfabb01740276062d6e014e

SHA1 hash:

2b9e4c4d82fcb91ec317ba1ea94a43c99c1a88f3

Link:

https://www.unpac.me/results/f8e1e459-f8be-4cb7-9848-22f368bf2fad/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/17fad325e971/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/17fad325e9717e20c930f698f08f711320a505560e239b5de9df67c62258a3bd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/337803/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample