MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 539d75f22db3ccc962683432784f32863230bcd123f5b545debbe51023ed1cf8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 2 File information Comments

SHA256 hash:	539d75f22db3ccc962683432784f32863230bcd123f5b545debbe51023ed1cf8
SHA3-384 hash:	04ec99d3c6d7f1a3446793614a48724e8c2608bdc1bd24665207fa2f294ac0a8ccd22da1dba4757bea5d650b918540e4
SHA1 hash:	ede72aa8d39f46442b34f7aba5141010b8fec713
MD5 hash:	d8bceed11354da887fe4ad8f032957a7
humanhash:	spring-mobile-floor-robert
File name:	Request Quote212021#P000001488.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	938'496 bytes
First seen:	2021-05-21 12:50:39 UTC
Last seen:	2021-05-21 13:06:50 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	24576:UzLfzixDk84e3lUn3b/gyhP/LQgJK8eHzbIGlo:Uzz/Be1Wr4mQgJDe/Iwo
Threatray	5'108 similar samples on MalwareBazaar
TLSH	D515BF5F325C379EC52BC275B9780C38DAE07E678316910BB4E79CAD491C98AEF111E2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

111

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Request Quote212021#P000001488.pdf.exe

Verdict:

Suspicious activity

Analysis date:

2021-05-21 12:51:35 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/5744da3f-33b7-4380-9fe8-3c4dfa0c68e7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/160470/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.747-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/787252

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/539d75f22db3ccc962683432784f32863230bcd123f5b545debbe51023ed1cf8/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-05-21 01:06:52 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=kooxl4rnwpgmsytigqzhqtzsqyzdbpgrep23kro6xpsrai7ndt4a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

22637e06185c1729dc491bf0d47763f8e549ae5a16223b04579240a0bbfa9f1f

AgentTesla

25e023b62ee80e6d9de88b4e98da96e085f690d11a3b0c4d7a5aa1c1ac7bf4fb

AgentTesla

54cbf563334d886d981722181262d0b4d789d401e01c144001f7920cec661a65

AgentTesla

5d682752f7d6be29263d214f2b04f2db8371f42afd05852f5a32d54a135cb437

AgentTesla

7eeaffa8646a835347abeec5612f1fde6869c495d37f8a039513411e9b52a668

AgentTesla

95f09e032a3c803a4104efd4bb56166edb75dcd7d4c872913b7c51e716cd5893

AgentTesla

9692d3fcbe8181eb9b964c8ce0d960a3c3f64e84e231baa607798971c744cde8

AgentTesla

ad306f9b10c9cd26497ef01c1c941f4445db27befb24c07c5398f398f9f3ebaa

AgentTesla

ed16af86e5ba09e46175311cf0eb7e3e1684aba68ed59be8e7327b4a47245326

AgentTesla

+ 5'098 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210521-hpl5n116as/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/539d75f22db3ccc962683432784f32863230bcd123f5b545debbe51023ed1cf8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

URLhaus

https://urlhaus.abuse.ch/url/1184787/

Cape

https://www.capesandbox.com/analysis/160470/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample