MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604
SHA3-384 hash: 3bbd91b1d4a95b23baa95afffefbc0acda5aca4b1c4f2fd42c5ef55fd8f5d3f09665d2b26b6d11b9bf7adc5968635e8a
SHA1 hash: 0fd7d3e125ae5971855a1ba0e204ec5ae0f4829d
MD5 hash: e3fc0a2977f6ace1e8dcc4d170613b6e
humanhash: florida-potato-ack-eight
File name:RFQ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:599'040 bytes
First seen:2021-10-21 04:16:53 UTC
Last seen:2021-10-21 05:17:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:1RAU6Ibw8eGc07GmIDZjdYj60ATABiNbc9NdXV44DZ+PBiqJFTP:1hdbw8eGc0qme0qgDNZ64F+5iq
TLSH T177D4DF72211A9E9AEF2A3FF8584067802FF47C279B6ED25EADCE709615F3510CE30951
File icon (PE):PE icon
dhash icon c49a18b4949c64d4 (6 x AgentTesla, 2 x Formbook, 1 x SnakeKeylogger)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
146
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/198943/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.17508.10598.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Creating a file in the %temp% directory
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
75%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/6170e9c0a9d585e6d530f3ee/reports/385b4fa0-abcc-404c-b65b-e974baa1bb17/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/54562c87-c291-4e6c-bf27-0032713cc2f0
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/874305
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 506733 Sample: RFQ.exe Startdate: 21/10/2021 Architecture: WINDOWS Score: 100 25 Found malware configuration 2->25 27 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 7 other signatures 2->31 7 RFQ.exe 5 2->7         started        process3 file4 21 C:\Users\user\AppData\Local\...\RFQ.exe.log, ASCII 7->21 dropped 33 Injects a PE file into a foreign processes 7->33 11 RFQ.exe 2 7->11         started        13 RFQ.exe 7->13         started        signatures5 process6 process7 15 dw20.exe 22 6 11->15         started        dnsIp8 23 192.168.2.1 unknown unknown 15->23 19 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 15->19 dropped file9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-10-21 03:50:44 UTC
AV detection:
11 of 44 (25.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etrhw6jjcr24mts7fjyygowjrcuirztmq3jsvvovwif6hn3royca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
063fbe79691b7ad0a1d64dca20b761f5a9d0b5b7da246be640b40131bfb37734
AgentTesla
39b750cd8b016187c870716b296b59a86281bef52d89916b156b04be5e996059
AgentTesla
4093d9868af45612a60cba690351842d6ec33be2ea23ed0535e8c0bb0cce730e
AgentTesla
63911c3c9ef35552aa2cf56af6154fa3ddc883e1fbc741d07ed179b9b2d98c55
AgentTesla
7320273731dbce41f47cc62a196383cbe81764c7285277c153498818d1135b8f
AgentTesla
90e6f37e7610a98dbec41e0fb11b289f36757d296183d9baa9e182a04de0fdcb
AgentTesla
d4afd94719dafb5d23e131635e1e1caa8d65c1a240f3226015c564e206100753
AgentTesla
e7554bfc25c557b696437cd884bced4c34fcc391262c1c26096f43a2db3ad6da
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211021-ewdbaaafhp/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
fe8bd63dc818e50ecde71d98f707ce95d001ff11bf1b7a6d480d9f9da65924c0
MD5 hash:
d938271afcee95ab2b08926e2f54da60
SHA1 hash:
b8152ae5d72b6d906946f07a281bdf341edd265a
Link:
https://www.unpac.me/results/87e6a6ce-e73a-4283-bfb3-18a72e6b50aa/
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/87e6a6ce-e73a-4283-bfb3-18a72e6b50aa/
SH256 hash:
c7fe35f1f19707d5115afabcf1abec7ef95f7b8bd234b2c0d09562aefc91e801
MD5 hash:
e1ae44208016e1d347f42958a0c4a75b
SHA1 hash:
5d23d71e2114ceb8b93d1caae611a5f95c99e5e8
Link:
https://www.unpac.me/results/87e6a6ce-e73a-4283-bfb3-18a72e6b50aa/
SH256 hash:
24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604
MD5 hash:
e3fc0a2977f6ace1e8dcc4d170613b6e
SHA1 hash:
0fd7d3e125ae5971855a1ba0e204ec5ae0f4829d
Link:
https://www.unpac.me/results/87e6a6ce-e73a-4283-bfb3-18a72e6b50aa/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/24e27b792914/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.85
Link:
https://yomi.yoroi.company/submissions/24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 24e27b79291475c64e5f2a71833ac988a888e66c86d32ad5d5b20be3b7717604

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/198943/

Comments