MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3
SHA3-384 hash:	ebe53ac1ccde80313919b588a7cd5fd4b816feaed66195dd821af3b4df51c11345d66811c2010b3fe793cfc863f70160
SHA1 hash:	d8a46a87541dd082cefc8f54c8f55eba73ef0a98
MD5 hash:	1a26f88b9e0feeec5b92d97a2aae0cbc
humanhash:	muppet-helium-washington-fourteen
File name:	Request Quotation.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'340'416 bytes
First seen:	2020-10-30 08:16:21 UTC
Last seen:	2020-10-30 08:23:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:USHvxXXShyR1m55izgXN5VXGQuwAe+Mr5MJi5UChwoSX:FPxQusY+ZEwnyU5UChwog
Threatray	859 similar samples on MalwareBazaar
TLSH	3455BFE49382D60BDA1F123B95677D10C2679B6689FA834A43DCBC7D27BF7081A80747
Reporter	GovCERT_CH
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

124

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/81173/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.11226.9316.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/516828

Signature

.NET source code contains potential unpacker

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-30 01:35:24 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ibm4lqyyitsdejxmpmrot6lrv3bhozpdqitily5gwsxvih5gz3jq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

5ece83fb3098dfcfa2c8e9dbae44041364219db26d8a653dbb7b0a8223e04dc6

AgentTesla

755bcfb03ddf8019aca959a1a5f46f1e2a8b5e10cce049ce8b80e8f4daaaa143

AgentTesla

9b21a961dea4dd3f79e08cfc5bd13aca22c3ebfefc9d5c347713b4c492d66c1f

AgentTesla

a02fab001fe08ddb9a1ff1113714164bfb779c3c1829e0db5de65a9174f3af7c

AgentTesla

b1e46564ca9ed30c690528cf95e37bc1ee64d97d8da2ed16c4dc22b4478130b5

AgentTesla

bcb53c352f95393a827450f49bcbe18021893c4136ab79cd325228172b5a8120

AgentTesla

d5fa02045d60d623dacb74b1a719e571982f6a68ea7781c06f8d0ce104b98bd6

AgentTesla

e582696b2f3c980a6d81be401fc5da4c24a4b0c490ff6764516a0aa3e3aae23b

AgentTesla

fdcbef10ba86a2c22e2d5b8f6c5a63c51e71b0f268644c4523c2c9d8fa3014b5

AgentTesla

+ 849 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201030-p2ee7tp6r6/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.