MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20795651735a3b9de9a7cd1ec01ea78c8acd43c9cb67dda8628cf1559bdcba1c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20795651735a3b9de9a7cd1ec01ea78c8acd43c9cb67dda8628cf1559bdcba1c
SHA3-384 hash: a373a2a9dc83e6a033145c3b9f45f5255514e2e08f0cd5484119a2e92f14bfe13a87caf00f7814e4e546584c45116a7a
SHA1 hash: 50c06ee54498c3a960baf9aca1f62909edf1981c
MD5 hash: 126a06711f90b3bb00d5cdf657bbd381
humanhash: speaker-item-berlin-papa
File name:RFQ #6553928_PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'027'584 bytes
First seen:2021-01-22 07:06:17 UTC
Last seen:2021-01-22 09:15:39 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:iRplyBXBB1W2OVJyTM8O8vv7q30QrOdi2Qlx0LHx689f2HuizVtL:cply5B3WHVYOw+kV9UkRB9O3zVZ
Threatray 2'403 similar samples on MalwareBazaar
TLSH F525DF4036E8AB47E83A57F159B0522447B63E87643BE35D4DC374CA0A727410A6BFAF
Reporter JAMESWT_WT
Tags:AgentTesla exe Telegram

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ #6553928_PDF.7z
Verdict:
Malicious activity
Analysis date:
2021-01-22 07:05:59 UTC
Tags:
stealer
Link:
https://app.any.run/tasks/4936b761-337d-4b93-b273-41894cc987b7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113457/
Detection(s):
SecuriteInfo.com.Artemis126A06711F90.17552.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/588022
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20795651735a3b9de9a7cd1ec01ea78c8acd43c9cb67dda8628cf1559bdcba1c/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-22 04:55:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
21
AV detection:
5 of 46 (10.87%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=eb4vmultli5z32nhzupmahvhrsfm2q6jznt53kdcrtyvlg64xioa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
165dd44f1f2c93862bd2c1bfdcc929d96b14a996bd08a7552f18be5e2e1f98aa
AgentTesla
2c3a5672edac823cdf4801786f4d4802acdca915a8becd6b544d94c0f2024f4e
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc
AgentTesla
428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0
AgentTesla
8a3c02f3f221e3874e057b7a98a43560d291f886f4b5351051f2876bc2f8c4e6
AgentTesla
95eaed904a48a580a9ba80eb8193b178f08b3da26d830b7a8b2fa8f5e3b5186e
AgentTesla
98cea7e20d6760aa8052e7be2968a74df11f602bf9860243631f1a56140fa13c
AgentTesla
e497cfbd4e4df1948752cf38a3125c68ec2bbc77d769217029d0938df07029bf
AgentTesla
ea9e3a35bf63a53744470468e57b73de8c319b607ac61b399db08f2696744195
AgentTesla
+ 2'393 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210122-7wqdeedah6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla
Unpacked files
SH256 hash:
0302065756cde120cc7e07c616bafcad5e015fad12ce40280b6a851822a1af30
MD5 hash:
8c33257a26468d7177ecbe2f2d8bef97
SHA1 hash:
d834de124755dae223cb18a2cdadf69f2e6eb1df
Link:
https://www.unpac.me/results/dbb67ce5-8343-42c1-bb37-06fe97fe3550/
SH256 hash:
060a6dbecdf56970d8341f27218efbf38ef9401a6270a0b4117bfbe988c3c493
MD5 hash:
e888bb5367f8dbd312db33c087147212
SHA1 hash:
d121b83de5c62c49e8fbe23204b8dc53ea9b5b47
Link:
https://www.unpac.me/results/dbb67ce5-8343-42c1-bb37-06fe97fe3550/
SH256 hash:
827b1567aed83bb64c2f80fbc4a993897013a3ee7b0d3ebe6793e3403db4d140
MD5 hash:
9a057132c5036180525f94054c71a6eb
SHA1 hash:
4f8cae092d6447c25d55adb7efe7d275044273c2
Link:
https://www.unpac.me/results/dbb67ce5-8343-42c1-bb37-06fe97fe3550/
Parent samples :
2f7e4765fc3bff8324b7353df04b086292c5a70f788d8193c95d1fc00f43f18a
3f8807728cce4b1e55293cd3577fdd36457c1568a23594d4cbfaeab45a10c574
9d4758703ed1e3968a75f93405df6202a6b1b749f7806965560c23237fdfe2b4
SH256 hash:
20795651735a3b9de9a7cd1ec01ea78c8acd43c9cb67dda8628cf1559bdcba1c
MD5 hash:
126a06711f90b3bb00d5cdf657bbd381
SHA1 hash:
50c06ee54498c3a960baf9aca1f62909edf1981c
Link:
https://www.unpac.me/results/dbb67ce5-8343-42c1-bb37-06fe97fe3550/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20795651735a3b9de9a7cd1ec01ea78c8acd43c9cb67dda8628cf1559bdcba1c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/113457/

Comments