MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
SHA3-384 hash: 3a92af59fdddda8b6f90cf5499b27526168bbc909c744833a14a878972a8174fb766d87509978292d0626caa1820e82e
SHA1 hash: dde5a61b58ce44a985ee7ca8d4a789140063616c
MD5 hash: cdefe555b30aa451be1c4b519ccaa9a3
humanhash: california-cola-violet-shade
File name:QRN-CLJC-06112020149.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:813'568 bytes
First seen:2020-11-21 04:47:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'751 x AgentTesla, 19'657 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 12288:XAxd7LKgnXbr1BzSJeq/sQwINAj+IKCXc1G4ZE2YwhOTuXP9upRIkqW7otI:XAL6wltiJkNzjdQG4ZXD8iXYMIKI
Threatray 1'572 similar samples on MalwareBazaar
TLSH E805DF71E185AE90E03A937C141DA60457FA2D12F311D87D7EBA74A92CF2F440E92B9F
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
328
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/544595
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321395 Sample: QRN-CLJC-06112020149.PDF.exe Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 36 Found malware configuration 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 12 other signatures 2->42 8 QRN-CLJC-06112020149.PDF.exe 7 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\XwhZikir.exe, PE32 8->20 dropped 22 C:\Users\...\XwhZikir.exe:Zone.Identifier, ASCII 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmpF5B4.tmp, XML 8->24 dropped 26 C:\Users\...\QRN-CLJC-06112020149.PDF.exe.log, ASCII 8->26 dropped 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->46 48 Injects a PE file into a foreign processes 8->48 12 QRN-CLJC-06112020149.PDF.exe 15 8 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 30 mail.privateemail.com 198.54.122.60, 49748, 49749, 587 NAMECHEAP-NETUS United States 12->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.161.145, 443, 49747 AMAZON-AESUS United States 12->32 34 2 other IPs or domains 12->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 18 conhost.exe 16->18         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-20 13:00:20 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=m677hsm7cdbldco7eqqc6zvdsaotkwchv7xh3zhwnr4k754uzerq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13207816457e33a0430e6da6d1ab86d9797f9c2895a7491c142b5b8bfee3bb0d
AgentTesla
14fbd7283be9da4d0fe9736a3a86b1b779b4c4abdb077f0647625fd5ad8068ec
AgentTesla
1e3772fb826af045d4d6aa5943be1c66bfca44858adaee941606ebce680373d1
AgentTesla
31705dc52cd25b1a406341a071401d39833225a184c0918214edf72cd3a77a57
AgentTesla
5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae
AgentTesla
639aa73ed2700349b87c9a12879447b219dfd137f60f50611588e9ced7726392
AgentTesla
6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58
AgentTesla
c2c8dd06ab505a3989373e72a3f565054a63716424f559592859024d2bade1d7
AgentTesla
dde122ac5a5a8eb786e335b3278dc5aae9cd3635c889fc4eb641a7a69123954d
AgentTesla
e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0
AgentTesla
+ 1'562 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201121-rr74tc9dd6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
2f87f7554d07432285350f8e672f390fd6daa4144e02414324cb9937e4b0e08a
MD5 hash:
37a1adc8256582eeac5f4d2bf1569b8b
SHA1 hash:
1ae4262e2160b66b5f3ee8a3cedf465c76b982cf
Link:
https://www.unpac.me/results/f3444e3f-8f8a-4fea-a229-4d40cb02f2d8/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/f3444e3f-8f8a-4fea-a229-4d40cb02f2d8/
SH256 hash:
da1ed4d7e494ff063526d1743c3361f51564505bd03799c51fe1e992db5f7164
MD5 hash:
b4bf2450d8186d162d91233cb1eb3c53
SHA1 hash:
3985daf2f75fbdbe8c5fa2c8226e7343c4a8a945
Link:
https://www.unpac.me/results/f3444e3f-8f8a-4fea-a229-4d40cb02f2d8/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/f3444e3f-8f8a-4fea-a229-4d40cb02f2d8/
SH256 hash:
44972f1292cead4a36b6e9b63599eaab38c43e7c515dacebcfee86684eaf3f81
MD5 hash:
2cca1dba8f010aa5987751b598288222
SHA1 hash:
8f13a04f39c45b182b7d7f4ce3d785b61143348f
Link:
https://www.unpac.me/results/f3444e3f-8f8a-4fea-a229-4d40cb02f2d8/
SH256 hash:
67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
MD5 hash:
cdefe555b30aa451be1c4b519ccaa9a3
SHA1 hash:
dde5a61b58ce44a985ee7ca8d4a789140063616c
Link:
https://www.unpac.me/results/f3444e3f-8f8a-4fea-a229-4d40cb02f2d8/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments