MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af
SHA3-384 hash: 45daea9d54177605babc60515011ad14377991288f346855cad14722b5a2c2046ae7c41ca4160ede11f1c7d2a66418f7
SHA1 hash: 08b21fc65f60b069a7fa3652daa92d3206c11524
MD5 hash: ce445708abb473bf7fbb336d28d72bd7
humanhash: eight-johnny-johnny-ohio
File name:QUOTATION REQUEST FOR PO 024-2020.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:220'160 bytes
First seen:2020-12-17 08:54:55 UTC
Last seen:2020-12-17 10:29:29 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 412434c6590220a26bbf72c7c07a425b (7 x AgentTesla, 4 x Formbook, 1 x NanoCore)
ssdeep 6144:hNjaeE8vaxoF/R+Nv+o3wI5Vi8UxIkUUoE0R:jaL8vaxA+NW14UxIkUU50R
Threatray 43 similar samples on MalwareBazaar
TLSH 522412C0CA15B055DAB841B80AD62FAB01F7607373DB58F390F7A73F80A5AA2A143D57
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: box.fujiplaengrg.xyz
Sending IP: 23.238.40.206
From: Rashida Nellie Rodriguez <info@fujiplaengrg.xyz>
Subject: RE: OUR ENQUIRY REF: PR/0741/20
Attachment: QUOTATION REQUEST FOR PO 024-2020.pdf.iso (contains "QUOTATION REQUEST FOR PO 024-2020.pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
175
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUOTATION REQUEST FOR PO 024-2020.pdf.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 09:00:16 UTC
Tags:
evasion stealer
Link:
https://app.any.run/tasks/017823d5-aabf-4cbb-9477-959b5d6cab62

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.ArtemisCE445708ABB4.3961.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Creating a file
Setting a keyboard event handler
Launching a process
Reading critical registry keys
Using the Windows Management Instrumentation requests
Sending a UDP request
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Enabling the 'hidden' option for recently created files
Creating a file in the %temp% directory
Moving a recently created file
Replacing files
Deleting a recently created file
Launching the default Windows debugger (dwwin.exe)
Stealing user critical data
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
Unknown
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565134
Signature
Detected unpacking (creates a PE file in dynamic memory)
Found many strings related to Crypto-Wallets (likely being stolen)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
May check the online IP address of the machine
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected Generic Dropper
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 331654 Sample: QUOTATION REQUEST FOR PO 02... Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 43 Malicious sample detected (through community Yara rule) 2->43 45 Detected unpacking (creates a PE file in dynamic memory) 2->45 47 Yara detected Generic Dropper 2->47 49 6 other signatures 2->49 8 QUOTATION REQUEST FOR PO 024-2020.pdf.exe 1 2->8         started        process3 signatures4 59 Maps a DLL or memory area into another process 8->59 11 QUOTATION REQUEST FOR PO 024-2020.pdf.exe 1 12 8->11         started        15 conhost.exe 8->15         started        process5 dnsIp6 41 smtp.yandex.ru 77.88.21.158, 465, 49731 YANDEXRU Russian Federation 11->41 61 Tries to steal Crypto Currency Wallets 11->61 63 Installs a global keyboard hook 11->63 17 RegSvcs.exe 15 5 11->17         started        21 RegSvcs.exe 2 11->21         started        23 RegSvcs.exe 11->23         started        25 RegSvcs.exe 11->25         started        signatures7 process8 dnsIp9 31 132.41.2.0.in-addr.arpa 17->31 33 icanhazip.com 147.75.47.199, 49727, 80 PACKETUS Switzerland 17->33 39 4 other IPs or domains 17->39 51 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 17->51 53 Tries to steal Instant Messenger accounts or passwords 17->53 55 Tries to steal Mail credentials (via file access) 17->55 35 132.41.2.0.in-addr.arpa 21->35 37 136.144.56.255, 49732, 80 PACKETUS United States 21->37 57 Tries to harvest and steal browser information (history, passwords, etc) 21->57 27 WerFault.exe 23->27         started        29 WerFault.exe 25->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2020-12-17 08:55:10 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=nahfb7672z6ymzvtaoccki3glgpcvjyu57cdg5api4btqzd3mgxq._file
Verdict:
suspicious
Similar samples:
1f58807249befd1a37d00ad7d19ecc29140b027c5f2faebb18e13e67e5750cb8
AgentTesla
3809041ce9fcb7f00674e65db2fd63f94373df583d6e3e869943aeb08b34ad28
AgentTesla
4e54f08a98b07f89fe1441642c32d046c37875460aa66d03111b3c6219707842
AgentTesla
518628a52655227136f54842d662c8dfea11f017ac7ef02fd1d87080bbcbc831
AgentTesla
94d1840f932572d12ec6d9017712bcb0f937e40495ea69981b109beb323bb34a
AgentTesla
a6c456dcee9a9c53aeb0360bdb52a682137745ad9ec607fce1199e24cd348ee5
AgentTesla
c0fb3989dccc0e8aa3c3b0e95a8b6cc3982c41c80930998efc1ac26613b0153e
AgentTesla
ca486417bbe56d65022b49b9ed860c04aa07f71c5a5aa9114f180526ac6f1ec8
AgentTesla
ee8e9b7393b01e6f46b1540fde42f6faa87dee2b3104b5e809b3c0219f91a5c8
AgentTesla
fa5ab5a2f18b43c52d2d150c80700dd9a0abfed9cfbba7261956b690f1595bfe
AgentTesla
+ 33 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201217-masttc22c6/
Behaviour
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af
MD5 hash:
ce445708abb473bf7fbb336d28d72bd7
SHA1 hash:
08b21fc65f60b069a7fa3652daa92d3206c11524
Link:
https://www.unpac.me/results/b80a0407-1f3c-4449-acdd-54a8068b6704/
SH256 hash:
b68e7306b769ff792ab68c50b585146277ca87bbd8513834ee6c5a3c4a3865a5
MD5 hash:
64ae33851674eb7524a36be991012928
SHA1 hash:
67b373919094b11833a651fe174689af1f7b4653
Link:
https://www.unpac.me/results/b80a0407-1f3c-4449-acdd-54a8068b6704/
SH256 hash:
d01209e4c6358f08e2e82b13389e29aeb8c2c08741b18115b07d4d19c05690e6
MD5 hash:
b952003b1d8c51fddd6052ee43e8b7e6
SHA1 hash:
19d76141246802ee1600ad939ea270889c1a1c32
Link:
https://www.unpac.me/results/b80a0407-1f3c-4449-acdd-54a8068b6704/
SH256 hash:
28307fba7a9410229cdb124898333e74319eb3d53ffb73d28ed31fe73040964e
MD5 hash:
c5b19346c2bec74df606231a399f9502
SHA1 hash:
becee4922489d0f550ede4ef1a4aa7eb1bd7938c
Link:
https://www.unpac.me/results/b80a0407-1f3c-4449-acdd-54a8068b6704/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 966330bfd34608d73e938be0513c33a318b147792428d3d6872162610dea442c

AgentTesla

Executable exe 680e50ffdfd67d8666b30384252366599e2aa714efc433740f470338647b61af

(this sample)

  
Dropped by
MD5 a8f87a93e40c40d355a2f9e548f6aecd
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 966330bfd34608d73e938be0513c33a318b147792428d3d6872162610dea442c

Comments