MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 54f9063a3d89de5b2c8910c47c72f39dcecdb322c4837aa6f9bb6c75dd5fc29e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 54f9063a3d89de5b2c8910c47c72f39dcecdb322c4837aa6f9bb6c75dd5fc29e
SHA3-384 hash: d5d93a673a98be6452b10b3e9c6fbee30828497ead162e7307d98e08b669d787ad8402288361be5ad9447655c4836c90
SHA1 hash: 0627cf6fa65adffdb5537279b60648241590532f
MD5 hash: 222bed677bc8cb892849460206d576e3
humanhash: nuts-bakerloo-arkansas-maryland
File name:Request for quote.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:550'912 bytes
First seen:2021-08-31 06:26:17 UTC
Last seen:2021-09-05 05:53:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:3MdmlxrStwIvrOz8S7MbfRP4bPhy/2HAXWkXv2CiBhyEkA1tdneOJRWtzsbw:37lxqPSzP7AaPhy/2gZf2CHJ
Threatray 9'175 similar samples on MalwareBazaar
TLSH T1F6C4DF9C725072EFC85BD972CAA82C64FA207877531FD607A06312EC9A4D99BCF154F2
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Request for quote.exe
Verdict:
Malicious activity
Analysis date:
2021-08-31 06:31:42 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/10b5209f-fb91-4a38-86c5-4f2c017a302f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/183968/
Detection(s):
SecuriteInfo.com.Suspicious.Win32.Save.a.25718.8867.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/e8312ec2-91ab-43a2-8cc8-776f95634bbe
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/842277
Signature
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/54f9063a3d89de5b2c8910c47c72f39dcecdb322c4837aa6f9bb6c75dd5fc29e/
Threat name:
ByteCode-MSIL.Infostealer.DarkStealer
Create hunting rule
Status:
Malicious
First seen:
2021-08-31 05:03:04 UTC
AV detection:
10 of 43 (23.26%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=kt4qmor5rhpfwlejcdchy4xttxhm3mzcysbxvjxzxnwhlxk7ykpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13157ec4c9a1d755957cf98ac93f9c89dbf712640bd7e492a7440c67b96a97a8
AgentTesla
1bb5310e608760250c1e8c7d88a73e6f57a6b8629c29bc21fd9431afd5d5eaa2
AgentTesla
3206ceb59dc7e6b70492a3b118f97114f0cf26ed040f42ac9226aab0169210ea
AgentTesla
376d455050f120be85fadce239b9280c208b63f07583471cca9416c88f7747e5
AgentTesla
4e8de8ccb38db94fcf3be5fb78c913f68dd86153f89976e535a8192f42fc8f59
AgentTesla
61c6b5acb3aa24d951c0d50536508fc5245094be0b85632090f294b0e18f1b08
AgentTesla
b20c3245ef7cde5dc9429ef1bcef75cba906df8c09b28b29ac882f62135491a7
AgentTesla
d7b92448ecfd7f178e19428933ffcb94d7df6ffcb255839b508328d060811622
AgentTesla
f365a0a316dd1de07f6145a94b48706d0700661b36f2f5eb915e8c05a602c0c9
AgentTesla
fdbfbe6106c728b22bd5e09caaa8e921f4da233532c36284d2ddc7c45e0ff7d2
AgentTesla
+ 9'165 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210831-szp61qezwe/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
43e38f251dbca9aa20f3470167e5427a7e7a7cdcd25f0b6b045ae8577cd3e345
MD5 hash:
f62ab5d3528d5a3b9e270ea1f9347868
SHA1 hash:
6a74e87711c615adbd9145f829a33f55b7e42dd6
Link:
https://www.unpac.me/results/0997284e-4448-4ef4-82a1-a09143597360/
SH256 hash:
f1084d334bf58fafae76b30437df969c1d03687e5cbd0d77bbe7c1c31c6535dc
MD5 hash:
b56b7e663c61295157404d8109eec610
SHA1 hash:
36cfa12e802e3ff7b6b4ad2c91ecf5784ebd62ab
Link:
https://www.unpac.me/results/0997284e-4448-4ef4-82a1-a09143597360/
SH256 hash:
aee63fe92ee6e57dbb07973147d689a92d10de0b90e342096edc75af07ba7bee
MD5 hash:
72dff9d5a9c3896ca17296b66c59bebd
SHA1 hash:
117ab3c7f85a05cd6f933228a42570cb8851f6d9
Link:
https://www.unpac.me/results/0997284e-4448-4ef4-82a1-a09143597360/
SH256 hash:
54f9063a3d89de5b2c8910c47c72f39dcecdb322c4837aa6f9bb6c75dd5fc29e
MD5 hash:
222bed677bc8cb892849460206d576e3
SHA1 hash:
0627cf6fa65adffdb5537279b60648241590532f
Link:
https://www.unpac.me/results/0997284e-4448-4ef4-82a1-a09143597360/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/54f9063a3d89/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/54f9063a3d89de5b2c8910c47c72f39dcecdb322c4837aa6f9bb6c75dd5fc29e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 54f9063a3d89de5b2c8910c47c72f39dcecdb322c4837aa6f9bb6c75dd5fc29e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/183968/

Comments