MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da
SHA3-384 hash: 86dbd8f4ddf287918921507d9502683bf8de841ebc2c9ab286846a038577579c57366a9bc0e48b00ac69f0294093891a
SHA1 hash: 57b89bf08a8603a20127b65cb74974873819835e
MD5 hash: f73c222727f2ed1fdeb93c6dca328867
humanhash: victor-fix-foxtrot-north
File name:PRODUCT_DETAILS.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:799'627 bytes
First seen:2020-08-03 13:53:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3c98c11017e670673be70ad841ea9c37 (5 x HawkEye, 5 x NanoCore, 4 x Plugx)
ssdeep 12288:BK2mhAMJ/cPlJVl35aTq/ZWkoTFybu49E+T5FED3U6yoxrPeySCpJzE6K4lqw:w2O/GlJVd+q1ox8FzFED3O0Wy7qw
Threatray 11'026 similar samples on MalwareBazaar
TLSH 78052203B6E491F8DA5171302FBE3948D8BDB43424BDD90FE389175D3278A97952A3A3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: webmail.badhotelschevenigen.nl
Sending IP: 5.178.32.122
From: Leonel Martinex <leonel.martinex@badhotelscheveningen.nl>
Subject: Order
Attachment: PRODUCT_DETAILS.PDF.gz (contains "PRODUCT_DETAILS.PDF.exe")

AgentTesla FTP exfil server:
ftp.skibokshotell.no

AgentTesla FTP exfil user name:
brompl@skibokshotell.no

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37907/
Detection(s):
SecuriteInfo.com.FakeAV.AOMC.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Searching for the window
Creating a file in the %AppData% directory
Delayed reading of the file
Running batch commands
Creating a process from a recently created file
Creating a file in the %temp% directory
Deleting a recently created file
Launching a process
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408055
Signature
Binary is likely a compiled AutoIt script file
Contains functionality to register a low level keyboard hook
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256268 Sample: PRODUCT_DETAILS.PDF.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Yara detected AgentTesla 2->37 39 Uses an obfuscated file name to hide its real file extension (double extension) 2->39 41 2 other signatures 2->41 9 PRODUCT_DETAILS.PDF.exe 9 2->9         started        process3 file4 29 C:\Users\user\AppData\...\Product.sfx.exe, PE32 9->29 dropped 12 cmd.exe 1 9->12         started        process5 process6 14 Product.sfx.exe 8 12->14         started        17 conhost.exe 12->17         started        file7 31 C:\Users\user\AppData\Roaming\Product.exe, PE32 14->31 dropped 19 Product.exe 2 14->19         started        process8 signatures9 43 Binary is likely a compiled AutoIt script file 19->43 45 Sample uses process hollowing technique 19->45 22 vbc.exe 15 2 19->22         started        process10 dnsIp11 33 ftp.skibokshotell.no 178.164.11.103, 21, 49750 NTE-BREDBANDNIX1OsloNorwayNO Norway 22->33 27 C:\Windows\System32\drivers\etc\hosts, ASCII 22->27 dropped 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->47 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->49 51 Tries to steal Mail credentials (via file access) 22->51 53 6 other signatures 22->53 file12 signatures13
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da/
Threat name:
Win32.Trojan.Rasftuby
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 13:55:14 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=nfqnlbljrubvggknkox2prw3ljudq35iqvoo737jul2m4euswxna._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17a9fa26f553c56d5b03921045d684a49177b8620eb3313dfcf13d269789c4ae
AgentTesla
3c1560efecba1706891a52dd3c969849939e18ff5063ced0c2ac334e937a0d9d
AgentTesla
5ee970db11a1dbfeff58b1f1206045d141022d6d396d50ba571910522a2c106d
AgentTesla
87881f84676ff10ab3f51519748d1799468def9f10dab79588b1d655d0eddb71
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
909b8620c583890661a37687b85621d40c0fa6ba691d9a5398e8fa988ccdbe7b
AgentTesla
a3c44389aac31e62cd3267525d4cfebbd65c32fbaec918500b606d67b0ea62d8
AgentTesla
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
AgentTesla
c015de0626ba91b194a47d0c8d76594e1bddadae9d9a6891b26ff7c2bc0fade3
AgentTesla
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
AgentTesla
+ 11'016 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200803-2lnd2ecfwe/
Behaviour
Suspicious use of SendNotifyMessage
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Loads dropped DLL
Executes dropped EXE
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 8e84499dc9dd628f3a07ba386c534a7ee8fe59ec5d669d354604fe75094e8421

AgentTesla

Executable exe 6960d585698d0353194d53afa7c6db5a68386fa8855cefefe9a2f4ce1292b5da

(this sample)

  
Dropped by
MD5 0fcf47f1b9316e3e687c02dc28b86d31
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37907/
  
Dropped by
SHA256 8e84499dc9dd628f3a07ba386c534a7ee8fe59ec5d669d354604fe75094e8421

Comments