MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 460fa5b8dd75116e68328d16996e31acbdb17183d127bc535a86df01889bd08f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 460fa5b8dd75116e68328d16996e31acbdb17183d127bc535a86df01889bd08f
SHA3-384 hash: 68f6dc7f61b90b8ac516e3bba68e29dcd726f10c17fabc404c62bd0321f6f8dfa84880c30999feddf6d54b8ee140c6a9
SHA1 hash: ecc4470ace2e1e3a5a64b22835c026f9ec7f9c5b
MD5 hash: 6268db66234ad00b0b784e6a1fd50170
humanhash: march-papa-uniform-foxtrot
File name:Request For Quotation.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:827'904 bytes
First seen:2020-05-04 21:42:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 226840561775b99befbf510bf424651d (8 x AgentTesla, 4 x Loki, 2 x NanoCore)
ssdeep 24576:sF/Ds4LoVX1hagvZVxFgxbDWcVPpiNYQ+n:mJMbh9VxFgd6eqYd
Threatray 10'930 similar samples on MalwareBazaar
TLSH F005BF22B1904C37C1A22A3F9C4B9764F92EBE51FE2866813BF51D4C5F397E13929187
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: acserviciosgenerales.com
Sending IP: 209.58.149.97
From: Sylvia Dcosta <administracion@acserviciosgenerales.com>
Subject: Request For Quotation - RFQ 05-0020
Attachment: Request For Quotation.pdf.iso (contains "Request For Quotation.pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Win.Dropper.Remcos-7759529-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Gathering data
Threat name:
Win32.Trojan.Injector
Create hunting rule
Status:
Malicious
First seen:
2020-05-04 22:36:32 UTC
File Type:
PE (Exe)
Extracted files:
3
AV detection:
27 of 31 (87.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iyh2log5ouiw42bsruljs3rrvs63c4md2et3yu22q3pqdce32chq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
1933047daa20bb10d832d589f39d4c0ae7035691041af24d218dca5ac83c5f92
AgentTesla
3e12b0587d24f1f28bfc04ac59f0479bd458d042e5ec0602276ca8044c5b77ce
AgentTesla
46075243ad8ff07178b1f3e467ac675a2380f05c742786b93a67f5728c80d14d
AgentTesla
47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb
AgentTesla
506fd293063c74af7a3a513778629c01117ae57bea33b1bfff199999a690536b
AgentTesla
68ee120de5e3ced8f322781d78428addf813a759ce03f61c12d96ab5184f4515
AgentTesla
7ff0b93f3ac5f3acfe8f9718a8c6d0828e65f39e08cee553312cd24d8aed6dd1
AgentTesla
9feec7852ef1647fa53b548d5d55ae251bd5df7f112f22a63238612b6ffad1ea
AgentTesla
9ff973461fe556e748939d04aab5d5c8452cdb6350d52dbabefb347fc461ef5b
AgentTesla
a298c08fb2a91450f6b1e2af86fbc8ece3c290e1812c4a4ee77ce273b595c2b2
AgentTesla
+ 10'920 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan upx
Link:
https://tria.ge/reports/201109-m5d3tk6mr6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 69c05979c538d7330d6926a2d6d43061c1df78ca895d6a216d181ca4c0628e95

AgentTesla

Executable exe 460fa5b8dd75116e68328d16996e31acbdb17183d127bc535a86df01889bd08f

(this sample)

  
Dropped by
MD5 d1efb26e406d49b94dfd1c8bc461338a
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 69c05979c538d7330d6926a2d6d43061c1df78ca895d6a216d181ca4c0628e95

Comments