MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f7a4d62b491af06b4516daf257d1fa797ba9e065f452ce0d71e3b6f0fbc6a45. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4f7a4d62b491af06b4516daf257d1fa797ba9e065f452ce0d71e3b6f0fbc6a45
SHA3-384 hash: d88f793b09ad9dfe357757f620e984fc6d5009d19fec7aaa3c785e5381308aad604fa6deaf99706e0565a94f5000635c
SHA1 hash: e1f196be597b09aa04e579c0d262430c3ceef1af
MD5 hash: 85dce22797e101bc36b616796e95acd3
humanhash: music-sink-india-alabama
File name:Richiesta Urgente.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:805'888 bytes
First seen:2020-11-18 12:55:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:Sl1aMljBMKnw6WJoGPb5FUoRAVyImHlawsj8e5G7G0XNx:UJCKxWfPNFwyIUlawu5G6AT
Threatray 2'906 similar samples on MalwareBazaar
TLSH 64059F23A2A15873C1E316788CCF6BB8AD2EBED03917B9876BF41D48DF392813515197
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: normansrl.com
Sending IP: 185.239.242.114
From: elvira.vairo@normansrl.com
Subject: Richiesta Urgente
Attachment: Richiesta Urgente.pdf.zip (contains "Richiesta Urgente.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Fareit.bh.16492.UNOFFICIAL
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541070
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4f7a4d62b491af06b4516daf257d1fa797ba9e065f452ce0d71e3b6f0fbc6a45/
Threat name:
Win32.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 11:04:19 UTC
AV detection:
27 of 28 (96.43%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=j55e2yvusgxqnncrnwxsk7i7u6l3vhqgl5cszygxdy5w6d54njcq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
AgentTesla
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
AgentTesla
68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f
AgentTesla
7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb
AgentTesla
8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc
AgentTesla
b2ec3cbaca68c03cabfbd50b7b94908971b26a52e5eacd80d499844944929c1b
AgentTesla
b61fd6fa3079321e5231c3bdea1d4894b2de3fb8a8e38c2cb2c3d4754a7da86d
AgentTesla
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
AgentTesla
c6d32cce563241de2f9137ed8a1812a2413cbed6f84d4d6870202fa0fcd1e01e
AgentTesla
deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867
AgentTesla
+ 2'896 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201118-c11rsc3e3x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
4f7a4d62b491af06b4516daf257d1fa797ba9e065f452ce0d71e3b6f0fbc6a45
MD5 hash:
85dce22797e101bc36b616796e95acd3
SHA1 hash:
e1f196be597b09aa04e579c0d262430c3ceef1af
Link:
https://www.unpac.me/results/406803de-403b-4719-a65c-c4dcc23fd69a/
SH256 hash:
0f91fdd73dfd78bf5a35bce9ea508fa70eb1ca86a13eaa80a484d7e724ef4434
MD5 hash:
4f7fa0910f13ee231ca679fb3b1e18fb
SHA1 hash:
9ac60ced1ade9c027ad3f12c498d08d67b574ce4
Link:
https://www.unpac.me/results/406803de-403b-4719-a65c-c4dcc23fd69a/
SH256 hash:
b27a2fea932c9aa830756a19a9ca520f4b3aee94eecd53b6343e4fc61ffa5c86
MD5 hash:
dc4356c906096b55f3f30c8b5fde1089
SHA1 hash:
f953dbe2779af8707fc0980dbf81dad7c32e3c2b
Link:
https://www.unpac.me/results/406803de-403b-4719-a65c-c4dcc23fd69a/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip a05ec95cd73456e58e6ac83f442f0b65b6d27b36fb38420c1829f73696e8e6a4

AgentTesla

Executable exe 4f7a4d62b491af06b4516daf257d1fa797ba9e065f452ce0d71e3b6f0fbc6a45

(this sample)

  
Dropped by
MD5 3f3fe5bd9037d4b8acecb103f5b05c82
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 a05ec95cd73456e58e6ac83f442f0b65b6d27b36fb38420c1829f73696e8e6a4

Comments