MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 68d5bcd60a9ce201a3396c12a8d16a25b87e29a7b4c45460b2bfc4e4d743f0fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 10
| SHA256 hash: | 68d5bcd60a9ce201a3396c12a8d16a25b87e29a7b4c45460b2bfc4e4d743f0fe |
|---|---|
| SHA3-384 hash: | e917e1303b50365a3f83917f39c6af1bec0c80a8888428cb5a90d343576e0f72f2550d7c65cadd5db51ce668ac6e396f |
| SHA1 hash: | 7f1055a14823e3f99924d73c5af68577797b40ed |
| MD5 hash: | b10388cf5a6877196ebfb48b191ffac6 |
| humanhash: | ohio-spring-aspen-quiet |
| File name: | RFQ(ORDERLIST).exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 631'296 bytes |
| First seen: | 2020-10-09 16:39:46 UTC |
| Last seen: | 2020-10-09 17:44:42 UTC |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger) |
| ssdeep | 12288:MBsaQbJOBRxBOTYj920jP1RPfFfencZGt3U+Fvz:Da4QP4Yjdb1xZGqs |
| Threatray | 302 similar samples on MalwareBazaar |
| TLSH | B9D45AFA3C42C86DFD6E8332D1B5A0C3F52A12CA7E64950D7DE6421C0F1311E6BA665B |
| Reporter |  GovCERT_CH |
| Tags: | AgentTesla |
Intelligence
File Origin
# of uploads :
3
# of downloads :
127
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Behaviour
Behavior Graph:
Detection:
agenttesla
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Status:
Malicious
First seen:
2020-10-09 06:42:47 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
unknown
Similar samples:
+ 292 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
keylogger stealer spyware persistence trojan family:agenttesla
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
68d5bcd60a9ce201a3396c12a8d16a25b87e29a7b4c45460b2bfc4e4d743f0fe
MD5 hash:
b10388cf5a6877196ebfb48b191ffac6
SHA1 hash:
7f1055a14823e3f99924d73c5af68577797b40ed
SH256 hash:
89aa143c91d8cace96581d1ad1e4a67060238498168d9e412227019a838574a3
MD5 hash:
beadcc53a3524ce380a7b07b4da47d57
SHA1 hash:
7014b2381ef1ca0f0c8f1b0884315260dc73932f
SH256 hash:
fdab6037f0b34e3a8ba2414b3c9fe41d6b4d2312dc328173c235a3bd1ac96044
MD5 hash:
ef8b4142aa3e021c15efc93b4f2fcca9
SHA1 hash:
9d0eb8d610c70a4e226f2149cf57d93d631d285f
Detections:
win_agent_tesla_w1
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
SH256 hash:
f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd
MD5 hash:
a92da98ff6f5ae608503d074617bcc2a
SHA1 hash:
d3eafcccca011bb3a7a5ae52dd9704ceafcde472
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | AgentTesla_extracted_bin |
|---|---|
| Author: | James_inthe_box |
| Description: | AgentTesla extracted |
| Rule name: | AgentTesla_mod_tough_bin |
|---|---|
| Author: | James_inthe_box |
| Reference: | https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/ |
| Rule name: | Agenttesla_type2 |
|---|---|
| Author: | JPCERT/CC Incident Response Group |
| Description: | detect Agenttesla in memory |
| Reference: | internal research |
| Rule name: | CAP_HookExKeylogger |
|---|---|
| Author: | Brian C. Bell -- @biebsmalwareguy |
| Reference: | https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar |
| Rule name: | win_agent_tesla_w1 |
|---|---|
| Author: | govcert_ch |
| Description: | Detect Agent Tesla based on common .NET code sequences |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Dropped by
AgentTesla
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.