MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1
SHA3-384 hash: f1e18e85d04f054fed83f7a270b36bba31786a861c8141a015db24942d2b8686948d35c37bf881c962097b0d3c147639
SHA1 hash: 4568f0ba42f55c24ebe23492985b4e339a3b0f88
MD5 hash: f394711ec1787e395c62f2c43a8a7956
humanhash: zebra-friend-diet-apart
File name:Official Request for Quotation Reference Number 5670092 scan00029288.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:720'896 bytes
First seen:2020-11-24 10:47:55 UTC
Last seen:2020-11-24 10:48:30 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:z1iuajyZPrW9ayBGkwyntazNL1PI8IOvQ9yUt8LFQdxDdAA:RiuauZPrNyOytazNhg8IXJ8kxJA
Threatray 1'462 similar samples on MalwareBazaar
TLSH 61E4CFF16380C965EAA76A78C43696932D73B51FDD28890C3D95BF0B3C723064417EAB
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
173
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a window
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545902
Signature
.NET source code contains potential unpacker
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 10:48:07 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
24 of 28 (85.71%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kquxuzrjdyxyphrovlsezmdagjyz22jjtfuofdbdp5rrl7q5p2yq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13dcde3e9c6f160ab11c94f84aba6b7a1b802126258e59f872fd1ae61ce8ff64
AgentTesla
3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e
AgentTesla
7323b8d5a71d744ada47370e02c8d86eb551bacb6881aee27ed7ec61cc22e068
AgentTesla
7a68b68dbc26cebe34fe472b9dc79c1bd76c6b1ff7a4d404d75e5f02c6254865
AgentTesla
9cf0b4703f06c87631dea093eafc72aa13da5a1721af35c0a635769bc3f88d8e
AgentTesla
b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8
AgentTesla
c1823f0befbdf02c1275d0641e142aeebc8d70d9dab04816ada7339da23061e2
AgentTesla
da4e120e4586c277edfa8a75a76f502a53c60594caee8b0bdf452220c9c61efb
AgentTesla
e3a91686f76e269f4adb652961ecbc785968c32d617ce19a620050894f13b184
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 1'452 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201124-hrqs413y32/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla
Unpacked files
SH256 hash:
54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1
MD5 hash:
f394711ec1787e395c62f2c43a8a7956
SHA1 hash:
4568f0ba42f55c24ebe23492985b4e339a3b0f88
Link:
https://www.unpac.me/results/b22cd429-179b-457e-9124-1f817cb42d2f/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/b22cd429-179b-457e-9124-1f817cb42d2f/
SH256 hash:
69d1b4ecd3c25a77ac46ae68ea6e3e00da4476ac99fa2bbe9ccc085c42e244a9
MD5 hash:
ffc55839e72a4eae716ee93fe8bfab25
SHA1 hash:
a6f3cee479162b15ca4ab708fee978e4c7a2aa93
Link:
https://www.unpac.me/results/b22cd429-179b-457e-9124-1f817cb42d2f/
SH256 hash:
fb77604e5a19bd22366f01668993a47f86e2d0009dbac448005a02ef760ce9d0
MD5 hash:
9a4dad6eb68988e4db35bf126f548ba5
SHA1 hash:
d3fa322f61c598f6024ad1f7499c3eed661bb8b5
Link:
https://www.unpac.me/results/b22cd429-179b-457e-9124-1f817cb42d2f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 27e500b2d560204b09eff6b1f1f1df06f28e6ee67748f06fe91201a34ae8298d

AgentTesla

Executable exe 54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 27e500b2d560204b09eff6b1f1f1df06f28e6ee67748f06fe91201a34ae8298d

Comments