MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1
SHA3-384 hash: 0ce8b70231088a11d01fb1ce52adeb89398fc63e8b3ed4245c78c49224269826b9167d08206758feb7aa11f75e58011b
SHA1 hash: 591b2ba9d1216dc5b0d625b69fa0cef0c6911ea5
MD5 hash: 85d229cba9fbee9259a778fd5850858d
humanhash: music-five-delaware-shade
File name:106 RFQ SHEET pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:233'288 bytes
First seen:2020-10-03 05:23:13 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'448 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 3072:PQFHzE25XzMaAmO1rgbG9X8vzj4URDbuHeCoUr1pvSEN+VeWoDO5wNhoQOQeCFFt:0zESzMMO1gNCz/1NeSDOydFt
Threatray 275 similar samples on MalwareBazaar
TLSH 3034295C7114E4CED47A1EB04D5AF13013A02EBE94D6AE0D3C973B6E98F3355188A7AE
Reporter cocaman
Tags:AgentTesla exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 2 23:59:11 2020 GMT
Valid to:Oct 2 23:59:11 2021 GMT
Serial number: AA7508DCBF04763CAE93AEE6A3437922
Thumbprint Algorithm:SHA256
Thumbprint: 8E1C12A2CA56E9391240478C1C2FCFB61A6B72F01F5FB9909E7F70B10432132A
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/67879/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.4991.102.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Sending a UDP request
Connection attempt
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480713
Signature
Antivirus / Scanner detection for submitted sample
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-03 01:22:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
17
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=mvpwil3ven744wyfi4eao5627qu5qzf5ihilkpkpovgcaxxutgqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a9e76d04b5ad405d59b6092f545f48dac62b1ce8ed10a260e4f90edff474c24
AgentTesla
14fcbebcc9d8c68ee30c888473ddb5fb08d4f0026b506c66668acb8c49ff0146
AgentTesla
18a2826ae0c8ce3e76a5cb806e89d0070f70cc372cf37468721b8caf8529f401
AgentTesla
529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
AgentTesla
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
AgentTesla
c9692914eb11d2c1cfb26bae5877943c1769994f857f0aa85b8c8f5064a2f042
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0
AgentTesla
dc17f58054bc14cd28845998cad76324467d4a028a063dbd3846b2de0df5c89c
AgentTesla
f2534f52eda2331872b580d6e36f66969b14c0c1407901e41e563f5ab147708c
AgentTesla
+ 265 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/201003-d5h19hn8ws/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1
MD5 hash:
85d229cba9fbee9259a778fd5850858d
SHA1 hash:
591b2ba9d1216dc5b0d625b69fa0cef0c6911ea5
Link:
https://www.unpac.me/results/ec1683e5-ce43-428a-ab6f-558c736306e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 810c4d1d0aa01da2f79e3f65f213a97584672f9b796c5ab896288afa00cf5700

AgentTesla

Executable exe 655f642f75237fce5b0547080777dafc29d864bd41d0b53d4f754c205ef499a1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 810c4d1d0aa01da2f79e3f65f213a97584672f9b796c5ab896288afa00cf5700
Cape
Cape
https://www.capesandbox.com/analysis/67879/

Comments