MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 71bf82d361e416132b74f9357e43d9716529dcb0fae3d464cffc5b984d922227. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 8
| SHA256 hash: | 71bf82d361e416132b74f9357e43d9716529dcb0fae3d464cffc5b984d922227 |
|---|---|
| SHA3-384 hash: | 9733d7a4cf7bf6649b7fe69f67ac1acf96a1c11d2d508a0c3c9a29464b5590389fea5685114fd7a6410dc4b03d99caf5 |
| SHA1 hash: | caed1d58d2d43e6075a4d89ab63a69723ed61acc |
| MD5 hash: | 878d32f2f56d4f2b40a64ed91e7b7ce0 |
| humanhash: | carbon-apart-michigan-colorado |
| File name: | VTECH RFQ - 164873.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 483'209 bytes |
| First seen: | 2020-07-31 06:54:15 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | 7c2c71dfce9a27650634dc8b1ca03bf0 (160 x Loki, 58 x Formbook, 55 x Adware.Generic) |
| ssdeep | 12288:1anIKWtJP377/TBimrskeTHDwqLq6yQShVaH880iBuPuBJ:/KWtJP3XUmioqLq6yRhD80iBnBJ |
| Threatray | 640 similar samples on MalwareBazaar |
| TLSH | CEA42205338180E3DDE81373207BEB3966A46C3925B6E28F37D9BB5D7573291821F689 |
| Reporter |  abuse_ch |
| Tags: | AgentTesla exe |
abuse_ch
Malspam distributing unidentified malware:HELO: vps.charypublications.com
Sending IP: 67.211.216.5
From: Moises Luis Terol <moises@vtechsa.com>
Subject: VTECH RFQ - 164873 / VTECH PROJ #: PA-0724, END USER BRAZIL
Attachment: VTECH RFQ - 164873.IMG (contains "VTECH RFQ - 164873.exe")
Intelligence
File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Blackrat
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a file in the %temp% directory
Creating a file
Creating a file in the %AppData% subdirectories
Launching a process
Sending a custom TCP request
Creating a window
Transferring files using the Background Intelligent Transfer Service (BITS)
Enabling the 'hidden' option for recently created files
Using the Windows Management Instrumentation requests
Moving a file to the %AppData% subdirectory
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Maps a DLL or memory area into another process
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 06:56:08 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
5/5
Detection(s):
Suspicious file
Verdict:
malicious
Similar samples:
+ 630 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
1/10
Tags:
n/a
Behaviour
NSIS installer
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Malspam
Delivery method
Distributed via e-mail attachment
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.