MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a2cdfecba906f227e37060568e74abcecd85612c7f717522d75b59937a3a691. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2a2cdfecba906f227e37060568e74abcecd85612c7f717522d75b59937a3a691
SHA3-384 hash: 88b73b29c0dd27cd71e91664923481c2a6a614fca739352d0ab675e59fb1a5da9314abb79b3b3a47dd5ee3f708c6e7a6
SHA1 hash: 9da6761cb9ed4e1ee1dca298f77217d391354349
MD5 hash: 9052494d96317c7d221e104048ddb40b
humanhash: gee-diet-angel-sweet
File name:Quote_029232455643.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'744 bytes
First seen:2020-11-11 14:22:31 UTC
Last seen:2020-11-17 11:40:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:yD0/WcARZ0NmxXeS9Wjy7AB0vbxJODUr3cZubPZnf7k6qVuWz+:yCyEIH/3Su7Zf7FjWa
Threatray 1'111 similar samples on MalwareBazaar
TLSH C5F4BEA773982F6BE07DD3B65428181683F1ED52D723EB4C7D8B30CE8495F92879160A
Reporter theDark3d
Tags:AgentTesla exe malware smtp

Intelligence

File Origin
# of uploads :
3
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.15828.21028.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/530312
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 314258 Sample: Quote_029232455643.pdf.exe Startdate: 11/11/2020 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 Yara detected AgentTesla 2->45 47 6 other signatures 2->47 6 Quote_029232455643.pdf.exe 3 2->6         started        10 RdmVDb.exe 3 2->10         started        12 RdmVDb.exe 2 2->12         started        process3 file4 23 C:\Users\...\Quote_029232455643.pdf.exe.log, ASCII 6->23 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->51 53 Injects a PE file into a foreign processes 6->53 14 Quote_029232455643.pdf.exe 2 9 6->14         started        19 Quote_029232455643.pdf.exe 6->19         started        55 Multi AV Scanner detection for dropped file 10->55 57 Machine Learning detection for dropped file 10->57 21 RdmVDb.exe 2 10->21         started        signatures5 process6 dnsIp7 29 us2.smtp.mailhostbox.com 208.91.198.143, 49755, 49756, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->29 31 192.168.2.1 unknown unknown 14->31 25 C:\Users\user\AppData\Roaming\...\RdmVDb.exe, PE32 14->25 dropped 27 C:\Users\user\...\RdmVDb.exe:Zone.Identifier, ASCII 14->27 dropped 33 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->33 35 Moves itself to temp directory 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 3 other signatures 14->39 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2a2cdfecba906f227e37060568e74abcecd85612c7f717522d75b59937a3a691/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-11 06:43:44 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fiwn73f2sbxse7rxaycwrz2kxtwnqvqsy73rournow2zsn5du2iq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
350d069225cb53bc0c3762da5cc170eac2737318377be141a5485651105914f6
AgentTesla
376f3a94cb7d2af93a4a3eefb2bc9cf4972f4f6868ea8309fed1ba83bf81e1e8
AgentTesla
49c6670d4f39dc6dd945ae5bc5a1ab86b8af9e6e20efcf7d46886765fbe32a7d
AgentTesla
5ccb4b42592b867c638bc0b10bd75d11865ee1bea36d8242bffe1aba403336e4
AgentTesla
6379dc9d3b0cb120a25eee76368258252cb55c5c67f9c880f929115adfb67838
AgentTesla
88801297a310f88fd29cf5b1e9066eee829a6bf43fe65108f4bc64932b1e845b
AgentTesla
89413cdc62fe4db87e6879f9d43ce136b10dec2c241382bf8d42020b2f432b0c
AgentTesla
a915c3b5063684919714518b71d0029802c7b6ff100867abe5ce7d935d8ea27f
AgentTesla
dc6a499c7c08de87d5d986fbaf33a59debbc355d00b04d69f340d6d7c346e98d
AgentTesla
ef91cdf4d2ae2a3dd427b89bf9a2e057ec1f6308aba537b7d808e999bb9815f8
AgentTesla
+ 1'101 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201111-f2xh8q9w2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2a2cdfecba906f227e37060568e74abcecd85612c7f717522d75b59937a3a691
MD5 hash:
9052494d96317c7d221e104048ddb40b
SHA1 hash:
9da6761cb9ed4e1ee1dca298f77217d391354349
Link:
https://www.unpac.me/results/c627fda7-4438-47c8-84dc-7d2072a9cbcd/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/c627fda7-4438-47c8-84dc-7d2072a9cbcd/
SH256 hash:
0e7e5d473e6f4cbda36b6b28debb0e439cb857b8966f00f520c15dd031935c8c
MD5 hash:
a393d05a3eef3efe62725c75f8c67d3d
SHA1 hash:
0a12a6212ba311c7be9dfdb4775f7de1f0b894cd
Link:
https://www.unpac.me/results/c627fda7-4438-47c8-84dc-7d2072a9cbcd/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/c627fda7-4438-47c8-84dc-7d2072a9cbcd/
SH256 hash:
0e430a9e6a2f2918bd60424546b3f8d7977c89e19265956a141989d7d6195847
MD5 hash:
d8abc6a3739588414581ef8493858679
SHA1 hash:
789adaa7f8756411f5b5bd7cac9f699877596c33
Link:
https://www.unpac.me/results/c627fda7-4438-47c8-84dc-7d2072a9cbcd/
SH256 hash:
516540d650dd8bedd1f924426032276a3e77203618c32b5448695ef03df29b27
MD5 hash:
ad68bad4faae52a12fcc351aa08c5081
SHA1 hash:
cb84a4a8a1e03d7a5ee7cf0cd30daac5ddcd3ff9
Link:
https://www.unpac.me/results/c627fda7-4438-47c8-84dc-7d2072a9cbcd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments