MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520
SHA3-384 hash: d956be45bb0de16697fe2c62fe0fca5b8e50a245acdddd3e23602a5890b0937ab28c0dbf167936fdb961fea5b5db7e6b
SHA1 hash: 2aea1a1c9c10ba735ca2d02aa4b5e377191cf69f
MD5 hash: 16eadcaaf131fa1753bad35d90d2c5a2
humanhash: pennsylvania-sixteen-wisconsin-autumn
File name:ADVANCE DOWN PAYMENT INVOICE pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:294'136 bytes
First seen:2020-10-07 16:04:45 UTC
Last seen:2020-10-07 16:44:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:rLnZ4aRyL1NSzMMO1gNCz/1NeSDOydFa:rLZ46AXS3O1r5
Threatray 395 similar samples on MalwareBazaar
TLSH 0054980DB010F88FE96B4EB02C55F4643361A9744480D50E6CA5EE6DEEE169A3C6E3DF
Reporter cocaman
Tags:AgentTesla exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 7 14:18:31 2020 GMT
Valid to:Oct 7 14:18:31 2021 GMT
Serial number: BE25F709E5A06D01370F4F8664D90EA9
Thumbprint Algorithm:SHA256
Thumbprint: D25492BAC96C98DED29FBF450139D21B285F6429ADD7CEF096476424E933DAE5
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68987/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Setting a keyboard event handler
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484410
Signature
Connects to a pastebin service (likely for C&C)
Executable has a suspicious name (potential lure to open the executable)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 16:06:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gb4yvqxecv5sl5ki4ehsg5b56ca6kk5wfbs7hp2tt72uiqgwyuqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
024fe29d6f94fe5fb1afead83c7e0deefa8127669e8e66043334b6bef130f9f8
AgentTesla
0a9e76d04b5ad405d59b6092f545f48dac62b1ce8ed10a260e4f90edff474c24
AgentTesla
14fcbebcc9d8c68ee30c888473ddb5fb08d4f0026b506c66668acb8c49ff0146
AgentTesla
655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1
AgentTesla
a3510ca0d8cbd8fb1035c1c59a8781abfc1e463d0429e108c242c23188f1adcc
AgentTesla
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0
AgentTesla
dc17f58054bc14cd28845998cad76324467d4a028a063dbd3846b2de0df5c89c
AgentTesla
f2534f52eda2331872b580d6e36f66969b14c0c1407901e41e563f5ab147708c
AgentTesla
+ 385 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201007-7g7lzm888a/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520
MD5 hash:
16eadcaaf131fa1753bad35d90d2c5a2
SHA1 hash:
2aea1a1c9c10ba735ca2d02aa4b5e377191cf69f
Link:
https://www.unpac.me/results/02fd2e93-8ba4-4eec-8437-2b09bbfa38c4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 77ffa42c4b95831c41a5cfd19ac9b861b16f500d8488e45c0ad496d987a7bda2

AgentTesla

Executable exe 30798ac2e4157b25f548e10f23743df081e52bb62865f3bf539ff54440d6c520

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 77ffa42c4b95831c41a5cfd19ac9b861b16f500d8488e45c0ad496d987a7bda2
Cape
Cape
https://www.capesandbox.com/analysis/68987/

Comments