MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f
SHA3-384 hash: f8e84d1e39216ecf9f9cd522b82e5128087f4df34bd9c3f495d1aa9f7028abe0cfa3bf29944ca7344ce0f6ad8aa900f0
SHA1 hash: e8f104171cc47b1d91b7a1cc2fb3f4bb4016875f
MD5 hash: c9928dadca467c7df56f0190023d71d4
humanhash: nuts-tennessee-bacon-vegan
File name:Inquiry-20201118105427.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:804'864 bytes
First seen:2020-11-18 12:34:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:+l1aMljBMKnw6WJoGPb5FUoRAVyImHlawLFI/FIzptSNz:YJCKxWfPNFwyIUlawp5tEz
Threatray 2'983 similar samples on MalwareBazaar
TLSH 99059E23B2A15873CD2316388CDB9BB86D2EBED0291B79872BF51D48DF3D2813516197
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.kit-h.com
Sending IP: 185.200.242.204
From: Ali Thakur <info@kuwaitoilers.com>
Subject: PRICE & DELIVERY
Attachment: Inquiry-20201118105427.r00 (contains "Inquiry-20201118105427.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541121
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:35:11 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ndipoetm45ddagy3io5q4zoiqcp5lcbsetkgk5nvhtbswp7mk4hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
AgentTesla
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
AgentTesla
7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb
AgentTesla
b2ec3cbaca68c03cabfbd50b7b94908971b26a52e5eacd80d499844944929c1b
AgentTesla
b61fd6fa3079321e5231c3bdea1d4894b2de3fb8a8e38c2cb2c3d4754a7da86d
AgentTesla
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
AgentTesla
c6d32cce563241de2f9137ed8a1812a2413cbed6f84d4d6870202fa0fcd1e01e
AgentTesla
deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867
AgentTesla
f114260deddc0c7ea49c9a76fca65890679874e9d295c0015d6de8f736fb8c5e
AgentTesla
f78a1ebc98a1c1482564cc64a7d10ba7c1ed03591b8cebeba72f27df590dd57d
AgentTesla
+ 2'973 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware upx
Link:
https://tria.ge/reports/201118-sk3xq1aag6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f
MD5 hash:
c9928dadca467c7df56f0190023d71d4
SHA1 hash:
e8f104171cc47b1d91b7a1cc2fb3f4bb4016875f
Link:
https://www.unpac.me/results/105f8935-ac6f-41e0-ac39-2a21a6465aa4/
SH256 hash:
c0791632452fd17fdb08b4241ad7b6f5aaf1af6190861301135ef3631f4b4020
MD5 hash:
e8dc83a4ed7657d3211077b7f343fc3c
SHA1 hash:
0af6cb0ca0d55a2ec6626443b5d91f9c0d0c332c
Link:
https://www.unpac.me/results/105f8935-ac6f-41e0-ac39-2a21a6465aa4/
SH256 hash:
24aa40e1d195ad0626e09e7b038adf533fb6ebbbe6dd9b0a1818978aef73fd61
MD5 hash:
3c3bc6f6e9d35a8026016d9305def40b
SHA1 hash:
b871df2af2e4afd175df3c13f0438e03ff6ab974
Link:
https://www.unpac.me/results/105f8935-ac6f-41e0-ac39-2a21a6465aa4/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 efa832ff824240107613e256865ca697ae42f57617c66d7b11c8272a94bf9f9c

AgentTesla

Executable exe 68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f

(this sample)

  
Dropped by
MD5 bebcea0951b8cef9bfad28b537b4d220
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 efa832ff824240107613e256865ca697ae42f57617c66d7b11c8272a94bf9f9c

Comments