MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a
SHA3-384 hash: 6127950ed22ab58117417f68c4b29bc82e2f7e94fd211380736bb4b6a44539ebedcdeccd54e6f3c9642cae05a99841a7
SHA1 hash: 271c46d3000bb61b8e4a62ac7b6649f4ff8c2b1b
MD5 hash: d2bcb1d9ce1f1d32ef8af55e66c41998
humanhash: queen-august-harry-triple
File name:invoice.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:659'456 bytes
First seen:2020-09-16 05:53:01 UTC
Last seen:2020-09-16 12:25:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 61cb597a3378aa34bfbeffc95ef73ec2 (1 x Loki, 1 x AgentTesla)
ssdeep 12288:JEIe3NA3HiCcLSMJ6C29Ghjp27JKHkM76/2C16S3wUep1kx8a:JED3KSsPGlsoES6+CYStep1kX
Threatray 1'603 similar samples on MalwareBazaar
TLSH 05E48D22B2E04433D0B7F63D9D1B96B45829BD513E349D8A2BE4EC4C4F3979538263A7
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/61492/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/467487
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a/
Threat name:
Win32.Trojan.LokibotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-15 20:23:25 UTC
File Type:
PE (Exe)
Extracted files:
75
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ogh4q3evivxvgh5x74nlpuytg5wlhwyo2lxqi2nroxirkzszqrna._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
05793491a0160fba57cf1219dd69f0c49a1fd9a43cafe0f78590c1e526f298c6
AgentTesla
0a056539785f34859694bf0e1c074ddaa5c89b1c8c89ea99f00b7ab4f84c9215
AgentTesla
165a1197676a6b92b0086bbdb79a3b615c83ec9d686449b934c4475905608b2a
AgentTesla
25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0
AgentTesla
43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c
AgentTesla
5e0b3550098aeaef4722fe9d3299c218e399fb9d379c04336d70bd1be58f61d1
AgentTesla
9dd55f94cfb65ea2fb33a405e11c2c11a2aad46b113098012e7ead8e6e230a32
AgentTesla
b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925
AgentTesla
d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c
AgentTesla
e175c9a8deaab55c34a819794d9a751021079caa9fb34faf232c686cf5fdd3c6
AgentTesla
+ 1'593 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200916-ec549mbxmx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z ba3c025f8f7b1c849f840ea5183e5aef27105134f5f22144857f141360d17c88

AgentTesla

Executable exe 718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/61492/
  
Dropped by
SHA256 ba3c025f8f7b1c849f840ea5183e5aef27105134f5f22144857f141360d17c88

Comments