MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4fc76fe3b7998ef0dd8b9a9a75268d7b8a63b6c465f9fc162cf341e123c9b344. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 7 File information Comments

SHA256 hash:	4fc76fe3b7998ef0dd8b9a9a75268d7b8a63b6c465f9fc162cf341e123c9b344
SHA3-384 hash:	fe44b9aa9c7a53a0bb853f816ed9670a683cc7b96afb27733347b8f43ee199576387c5caf0bcebda3c6571acab9507e0
SHA1 hash:	694617e3ca9f56f493c7a52a5539200b6ed925ed
MD5 hash:	408134f849eb46666a72b8740d2729fc
humanhash:	glucose-whiskey-victor-illinois
File name:	New Order#454321.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	766'976 bytes
First seen:	2021-07-08 05:41:41 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:/zPjYQIWk9inUFuez4JiIEMYo/6Ko2h+ZwTXn8keDQ95eDI3Luyx+E7RZnbg1KHt:Qxdin5ewimYoToa+ZwD8keDQeDI3Lu8+
Threatray	6'447 similar samples on MalwareBazaar
TLSH	T1A0F46BBD71327AEECDABC6388B342D6C9F58727BD20B227650176459488CB878F61473
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

New Order#454321.pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-07-08 05:42:41 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/ef0c1b5b-367e-470d-ba36-4a1f50c8a8ff

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/170349/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.908-1.UNOFFICIAL

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/437e0b48-9cdb-4e2c-a9ec-ea2f230ca960

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/813264

Signature

Adds a directory exclusion to Windows Defender

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4fc76fe3b7998ef0dd8b9a9a75268d7b8a63b6c465f9fc162cf341e123c9b344/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-07-08 03:25:48 UTC

AV detection:

14 of 46 (30.43%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=j7dw7y5xtghpbxmltknhkjunpofghnwemx47yfrm6na6ci6jwnca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

592305c859c4bdd2954ef43d4328fd942362f8fa21b1d7ea8d47e46508b0c1c9

AgentTesla

793a4b11f420fac22319c4ea9c2f42d25f3e99e830e6fe292ecf9def80b00780

AgentTesla

85de8a5df2a92006d32b33b64ec638f1e124f4cd95154dd568e7696b11ad1b60

AgentTesla

87621b8c28e96dee7b183db273e1865d1ab0edad8c39ce2948a8d6c1b694ca75

AgentTesla

94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc

AgentTesla

9555f2493b3e663c2c3b7fd5b7d1a27aa7f0509036fc1b5ac24a794e9b4a2fc4

AgentTesla

a72ee397635337a52d81d5a1d5bea4c48a375af13dc2848737f21c0577ab17b5

AgentTesla

cec78b430e4bb75b78a1f1c4271b030543861f49a8efe5e85d265ff8e70d7228

AgentTesla

d21652e5c2460a23b225dc870a0ca5366f341ee079f63edf01e85bd8fc43f4ac

AgentTesla

+ 6'437 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210708-f5571ckyk2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Drops file in Drivers directory

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

5209992fd1f96cd1959efb5e1afa71f5c9ae2ab4430e258fe9d0ec915098d110

MD5 hash:

257ca10e5cbb2f8bdf0ae6f3e900e11e

SHA1 hash:

9d25ee80dbe3bbce5ab4479912c5e21b19b6aeec

Link:

https://www.unpac.me/results/8d88f699-d292-4811-ac15-0088ee2188d9/

SH256 hash:

e6d53d49c8f51f276fd45549842b59166c6a71de35e4185dd6219a689d8e59d1

MD5 hash:

e36a43506a7d0aa4bd77b02ccf5e711d

SHA1 hash:

8f6c13434dba1952cd325cb8301dc52cff72ada0

Link:

https://www.unpac.me/results/8d88f699-d292-4811-ac15-0088ee2188d9/

SH256 hash:

8c910916cb3f9e1c9cc9b427f37515c0b1beb369a7ab993b31abeab07b2932b3

MD5 hash:

a49862425f6ff5e8ee67533fb1fdcc36

SHA1 hash:

1645d707628ea2bbc4c2f5751f52ac61b7dfd76a

Link:

https://www.unpac.me/results/8d88f699-d292-4811-ac15-0088ee2188d9/

SH256 hash:

4fc76fe3b7998ef0dd8b9a9a75268d7b8a63b6c465f9fc162cf341e123c9b344

MD5 hash:

408134f849eb46666a72b8740d2729fc

SHA1 hash:

694617e3ca9f56f493c7a52a5539200b6ed925ed

Link:

https://www.unpac.me/results/8d88f699-d292-4811-ac15-0088ee2188d9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/4fc76fe3b7998ef0dd8b9a9a75268d7b8a63b6c465f9fc162cf341e123c9b344

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 4fc76fe3b7998ef0dd8b9a9a75268d7b8a63b6c465f9fc162cf341e123c9b344

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/170349/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample