MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677b7ddefe12292fb0c4aabc275bdacb109cafe12d28d9409899e9c62ad00d71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 5 File information Comments

SHA256 hash:	677b7ddefe12292fb0c4aabc275bdacb109cafe12d28d9409899e9c62ad00d71
SHA3-384 hash:	44b2a9fed89214958974ea6dd20ceb14cdbd1a32fc93996d59b2a7bbe1a572f37d31600a2b9be767358df5c4ae6f89c2
SHA1 hash:	7f47db4384e31bcdda62135ddf61452806935b7f
MD5 hash:	4c5befbb316745b9dae59cebfecd7bf6
humanhash:	golf-avocado-hot-oscar
File name:	HDFC Bank 50% TT swift copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	523'264 bytes
First seen:	2022-04-16 06:07:54 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'813 x AgentTesla, 19'735 x Formbook, 12'282 x SnakeKeylogger)
ssdeep	12288:/bsAeE5sg87cruVW/TWlB5JgvqkytFJDtVeAtihWzneCDrQKnkdpQOIaiSQ+:/bHIDFHzneC3QKnyCVa
Threatray	16'047 similar samples on MalwareBazaar
TLSH	T1B4B48D9C722072EFC867D4729EA81CA8EB64787B831F5213942715EDEA5D897CF140F2
TrID	47.3% (.EXE) Win32 Executable MS Visual C++ (generic) (31206/45/13) 15.9% (.EXE) Win64 Executable (generic) (10523/12/4) 9.9% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 7.6% (.EXE) Win16 NE executable (generic) (5038/12/1) 6.8% (.EXE) Win32 Executable (generic) (4505/5/1)
Reporter	abuse_ch
Tags:	AgentTesla exe HDFC

Intelligence

File Origin

# of uploads :

# of downloads :

342

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

29b0327c-2346-4732-975f-1962858ac81a

Verdict:

Malicious activity

Analysis date:

2022-04-16 06:10:54 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/02e2ea2b-5f7e-4e9a-9449-b09e47940950

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/264075/

Detection(s):

SecuriteInfo.com.Suspicious.Win32.Save.a.23488.19744.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Searching for the window

Creating a window

Sending a custom TCP request

Сreating synchronization primitives

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Creating a file

Using the Windows Management Instrumentation requests

Forced shutdown of a system process

Enabling autorun by creating a file

Unauthorized injection to a system process

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

control.exe obfuscated packed

Link:

https://www.filescan.io/uploads/625a5d47482f2f41caba5209/reports/ac6fc53b-93bd-4053-87fc-6d31f11a270c/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/e0dee530-4c5f-4e07-ab70-418746ee5579

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/977616

Signature

.NET source code contains very large array initializations

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Modifies the hosts file

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Add Scheduled Task From User AppData Temp

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/677b7ddefe12292fb0c4aabc275bdacb109cafe12d28d9409899e9c62ad00d71/

Threat name:

ByteCode-MSIL.Trojan.Taskun

Status:

Malicious

First seen:

2022-04-15 08:45:34 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=m55x3xx6cius7mgevk6cow62zmijzl7bfuunsqeythu4mkwqbvyq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

78440c8aaf49191ba9a5a13987c467f7f0dd192e500661543f0590eea20f1773

AgentTesla

9fc03ede4a6507b4d4428b7f48f0308c8be0dd1b14061c46b81c091c206eda6f

AgentTesla

ad1a702f17301fff222e1cf0b679e6d3d739954ce98ac0b90a34b8fc83869ca5

AgentTesla

c7a6ab6e5b40c85b90ff5ae27e76ac3cfb614c20ff0388bdf949401dfb5dfab0

AgentTesla

f5cf5e1d41419e2e2283e3548eb60ea029fa7d24344f3af4536ba8b2363dafda

AgentTesla

+ 16'037 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220416-gvw34sgba5/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Checks computer location settings

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

af90216eda94ddd115aa7f7445514114ba6222674990a44b76d09f2c1a096f85

MD5 hash:

2f29c0012e0435d0288ad87e872618b1

SHA1 hash:

829f48de0d0f7f31021f6917525f6cab50cc1bd4

Link:

https://www.unpac.me/results/e4ee569d-5325-4c8d-b183-f28b70b80cb5/

SH256 hash:

dbcd69ddefdc911df023c0c8913f94819d8e390599f1289837a11907aeb66570

MD5 hash:

4324fa53c4f4a16daf3bba5afc7a93fd

SHA1 hash:

797253ad66c0acb6037042c2c6b24b128c5a62fb

Link:

https://www.unpac.me/results/e4ee569d-5325-4c8d-b183-f28b70b80cb5/

SH256 hash:

79823e47436e129def4fba8ee225347a05b7bb27477fb1cc8be6dc9e9ce75696

MD5 hash:

39f524c1ab0eb76dfd79b2852e5e8c39

SHA1 hash:

428018e1701006744e34480b0029982a76d8a57d

Link:

https://www.unpac.me/results/e4ee569d-5325-4c8d-b183-f28b70b80cb5/

SH256 hash:

677b7ddefe12292fb0c4aabc275bdacb109cafe12d28d9409899e9c62ad00d71

MD5 hash:

4c5befbb316745b9dae59cebfecd7bf6

SHA1 hash:

7f47db4384e31bcdda62135ddf61452806935b7f

Link:

https://www.unpac.me/results/e4ee569d-5325-4c8d-b183-f28b70b80cb5/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/677b7ddefe12292fb0c4aabc275bdacb109cafe12d28d9409899e9c62ad00d71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	pe_imphash Create hunting rule

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

Rule name:	t0_1 Create hunting rule

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/264075/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample