MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0
SHA3-384 hash: e68a3b7d5043bbff2e7573c476f14b913c50452820e6b9442163b872e7200c0fbeead5dd3f9d0e154577ca2d790b1c32
SHA1 hash: 06ede6a2f07bf39e6f33c9cc6a82f6a45861f9a2
MD5 hash: 1171670b26cf33d8001c987ba10338aa
humanhash: bluebird-angel-double-foxtrot
File name:DOCUMENTO DE ENVÍO Y LISTA DE EMBALAJE.PDF.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:500'224 bytes
First seen:2020-10-05 14:55:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:RFkguZKC4KONPgSzAQukhR+0nj6G84vT2kEUoX:RFkgNC4pNPgSzcQZ6GTftoX
Threatray 345 similar samples on MalwareBazaar
TLSH A2B4E02213889BABC37D2E78C44241068FF8AD925363F78DBCA478D555F6F82B311769
Reporter abuse_ch
Tags:AgentTesla bat ESP geo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: smarthost1.gohsphere.com
Sending IP: 173.0.129.227
From: Brian Martinez <brian.martinez@sanmina.com>
Subject: DOCUMENTO DE ENVÍO Y LISTA DE EMBALAJE--
Attachment: DOCUMENTO DE ENVÍO Y LISTA DE EMBALAJE.IMG (contains "DOCUMENTO DE ENVÍO Y LISTA DE EMBALAJE.PDF.bat")

AgentTesla SMTP exfil server:
mail.soin3.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68272/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481710
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 14:49:29 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e76hx5ain75nbh7lfeo6xuv2y3fithkf3u54talkgn36smsdjcya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
106f9f66c54be3c20be8f04ce63f5d6183d6eb9e79a6b243b5c820cc01ee24cb
AgentTesla
546ca9154ddc425843391ba45da25d60e4c89d85d34dfc5028fb56ed94861bbf
AgentTesla
6378dda8047cccbf0228f9a7c92e6c1650255bbb4fbde0e20c05149f50518dc6
AgentTesla
70043ff6d416c9ac20ada0e4b9031e5d55d2733a96eb4ddf3ec327c4b8abd8d2
AgentTesla
745a8ed362468f17a52c1b7f8b128250ce9c7d3949890166259e2e1ac3069e3e
AgentTesla
92ce1caafd5440632d32f232194b05aeeb49702d5bb2d5c6e0f4af2311631180
AgentTesla
b27e64df6a3791d23937cdc503aa9314770409a13dab6565b05570381cd71189
AgentTesla
c1dad248279062c4c79245226d28fe8565bad5d652b0dae10ed81b310581e73d
AgentTesla
c8d85cc6740894dd1333bfa06c37b334a4f341cefbd13ef8fa803732aa688c40
AgentTesla
eeba7537e3916a6c6d52340f648f970c4ad8369052fbc235b5ce4e3f166c9aae
AgentTesla
+ 335 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201005-jzh83fze5n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
01dd844990e0c5fdcea0f88712253aa1ef4750316f0734ab7099306170b5ea2a
MD5 hash:
eb593633270aa19162cf64663df9dd6c
SHA1 hash:
2ec57181471ff10abe9a04239ca3ea86ea4252b9
Link:
https://www.unpac.me/results/6a4ee751-16b7-43d6-913e-8f8a37cc0a05/
SH256 hash:
9974a3af9d5eff9ff82c1e6dca6e035d4989f089e7cd43f191cb3df2f873258f
MD5 hash:
333c62025943471baed5f56054b36011
SHA1 hash:
9ce3a8630477aa277320ae15861f832ecf9e5973
Link:
https://www.unpac.me/results/6a4ee751-16b7-43d6-913e-8f8a37cc0a05/
SH256 hash:
05defc60aa58f72513c3cc1ea95ba96c32288b23d7c09f098c4bc11c8870b73c
MD5 hash:
2e720a581487685dde2fd41216435e40
SHA1 hash:
d1768c9b1cd455d68688a19b6e99ece9987fe1cd
Link:
https://www.unpac.me/results/6a4ee751-16b7-43d6-913e-8f8a37cc0a05/
SH256 hash:
e82c167a55572b72416e8acb676ca657b5501ce7e7af85a54591fa7bdb9c5656
MD5 hash:
da6b21119bb42f3518e5c3b1e3e4da7d
SHA1 hash:
eb8f8df6d9deae70f66c1374863f7d9212ca6cc6
Link:
https://www.unpac.me/results/6a4ee751-16b7-43d6-913e-8f8a37cc0a05/
SH256 hash:
27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0
MD5 hash:
1171670b26cf33d8001c987ba10338aa
SHA1 hash:
06ede6a2f07bf39e6f33c9cc6a82f6a45861f9a2
Link:
https://www.unpac.me/results/6a4ee751-16b7-43d6-913e-8f8a37cc0a05/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 3fbf0430967b2fa0701e2fb6f360e6faee70b6a906d947ae361ebf2e78965262

AgentTesla

Executable exe 27fc7bf4086ffad09feb291debd2bac6ca899d45dd3bc9816a3377e9324348b0

(this sample)

  
Dropped by
MD5 6e8f140d80eb0dde5ebe611ad34326b8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68272/
  
Dropped by
SHA256 3fbf0430967b2fa0701e2fb6f360e6faee70b6a906d947ae361ebf2e78965262

Comments