MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 6 File information Comments

SHA256 hash:	670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9
SHA3-384 hash:	74938ebaf9bfae8071cf6dc66906179678601f687496d04c8b66d2b741457c9c4b84dde5097bca6500a60c9998b354e2
SHA1 hash:	ecc59be83b68aeb85b32ba2d317cd08b87054756
MD5 hash:	23495a6a0fd6123653dea6900654b7f6
humanhash:	timing-juliet-queen-steak
File name:	Purchase Inquiry 040521.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'842'016 bytes
First seen:	2021-05-04 17:24:39 UTC
Last seen:	2021-05-04 17:52:39 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	768:k1cDXumzNLh+UM1Fv6is77PKL7SlVVrMNiabA55QTO79l517YUO7Vb97jre33//9:k1cD+yOa
Threatray	4'454 similar samples on MalwareBazaar
TLSH	BD85366063FED450B3E7BF9987B832232D0B7FB78B3A108C629682645E18C5564E7774
Reporter	James_inthe_box
Tags:	AgentTesla exe signed

Code Signing Certificate

Organisation:	5Ra03806f717f8Qeea88fa25j
Issuer:	5Ra03806f717f8Qeea88fa25j
Algorithm:	sha256WithRSAEncryption
Valid from:	2021-05-04T12:25:51Z
Valid to:	2022-05-04T12:25:51Z
Serial number:	445dd6865be6a34322dc022502f04687
Thumbprint Algorithm:	SHA256
Thumbprint:	c539b4a8d1453c896eaf39288a717c0b52a2764c8cb77c52fab78b2413036c70
Source:	This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/149821/

Detection(s):

SecuriteInfo.com.Mal.Generic-S.26984.12474.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a window

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/710643

Signature

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9/

Threat name:

ByteCode-MSIL.Backdoor.Bladabhindi

Status:

Malicious

First seen:

2021-05-04 15:06:35 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m4dsfz3owcbbswmcsvy2pzydcdmxwjkkx25bm2kq4oo7crbuql4q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

65e210b78d73141c61b7087dce60499ca6c225e1b028d3951589c93baa8f0668

AgentTesla

74c2f8176fadf84bb04083901d52033b0975245676b45cd8607d80bebc91e570

AgentTesla

ac9a33415eb6ec83ead8f10e2f749b5d5c53f7fb9e758d686e1b01819b44c86a

AgentTesla

b045b7b993b005e1930ca50a9eb65df8b62ca29d1dfdbbb28ca6621384172908

AgentTesla

c21d2f1d2c5dad844ee2c789b2a424f0808e9eaf4edbf4319dca34531aacbe2c

AgentTesla

c4ee3e5cecf3510d88b59f4122e88f50dc99a761338dd1f8fc3eff6bfed2e005

AgentTesla

ce8284965a584e028e1c301a747acf3dfb472df4b06263b42634d00f7b40f77e

AgentTesla

ddcf7dc656f8ac2165462e1099333cf3330717f0a90a2f44ed584c987b2a2326

AgentTesla

e9dfce0612e8677dc4cc4e45373c383f300a940789379eaa950fc90dfc85a96c

AgentTesla

+ 4'444 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210504-be3xtmq3bn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

322317edbc94a01dd6839450b08504a1ad42ce973a666d3cb2b6eb8258085276

MD5 hash:

16041f47082df52239149c313fc699e8

SHA1 hash:

8a72b28de19c80b3fc984d5dbb331b346e4a41bc

Link:

https://www.unpac.me/results/99cb606d-452a-4186-ad15-d4fad994cb8b/

SH256 hash:

a60f250c469ef6047e22783a91d3e3ee65c0e268a3361e1e5e7d2f39cfa5dd20

MD5 hash:

5aeb944e870a28feddd30439a82bfce3

SHA1 hash:

31f6787fa0d68b280feccbdb161745826d1e8dd7

Link:

https://www.unpac.me/results/99cb606d-452a-4186-ad15-d4fad994cb8b/

SH256 hash:

670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9

MD5 hash:

23495a6a0fd6123653dea6900654b7f6

SHA1 hash:

ecc59be83b68aeb85b32ba2d317cd08b87054756

Link:

https://www.unpac.me/results/99cb606d-452a-4186-ad15-d4fad994cb8b/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/670722e76eb0821959829571a7e70310d97b254abeba166950e39df1443482f9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/149821/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample