MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 748bdb2c8f1ad331fab247dffe915274bcdd9119a58b194b86cb9eef36b47803. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	748bdb2c8f1ad331fab247dffe915274bcdd9119a58b194b86cb9eef36b47803
SHA3-384 hash:	9e74b10cf4d09d698feb85e759f847606c92f725d531351834460c19f157e43aaaa04ad4542dd4dbd0b0c84ae1c3cf21
SHA1 hash:	5725bdabdcf76792e80adb02e2a5b2da77e87d75
MD5 hash:	14e83056f93b3007653c21b2547a27ad
humanhash:	magazine-network-muppet-sierra
File name:	OHL Industrial RFQ,pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	825'856 bytes
First seen:	2020-10-07 04:46:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	92604fb3a4f39675f5df0ea054782743 (4 x AgentTesla, 2 x MassLogger, 1 x GuLoader)
ssdeep	12288:yebMW1iNFCCmdS7rdGLDpvyEomix6n8DaetCRPZWw9eOYfjV/+rXH:8dF9mdS7kDwZTcn8uMqPZW2vYbVEH
Threatray	1'929 similar samples on MalwareBazaar
TLSH	91059E23B2A04C73C12326789C0B5BB46E26FE1139E8AD46EBF5DC4C5F7968174A52D3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: 160295.monovm.com
Sending IP: 185.156.172.74
From: Sameer Haneyah <sameerhan@mid-contracting.com.jo>
Subject: OHL Industrial Quotation Request.
Attachment: OHL Industrial RFQ,pdf.rar (contains "OHL Industrial RFQ,pdf.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

DNS request

Connection attempt

Sending an HTTP POST request

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/483579

Signature

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/748bdb2c8f1ad331fab247dffe915274bcdd9119a58b194b86cb9eef36b47803/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-10-07 03:30:47 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=osf5wlepdljtd6vsi7p75eksos6n3eizuwfrss4gzopo6nvupabq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2c0e567384a59c0f113b5016aae24db45e1a7e39a0c9feb157eb98864af4a51f

AgentTesla

3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed

AgentTesla

40536a648af9c2b557ed6686cf932119d001d1ae3baf9df4da8bbc3ea457f8a4

AgentTesla

814f3b9dc8aea3d8a2c42d0eda2779733e7c0deaea265cc0b5be77cd1fa6b869

AgentTesla

8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11

AgentTesla

a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe

AgentTesla

a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04

AgentTesla

af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7

AgentTesla

e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387

AgentTesla

+ 1'919 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201007-xr3fxfyysa/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

9957918f372979add700ca3805274cd1dd34ffed90ceeeb2b61ec4cc63e373dc

MD5 hash:

9bfe8ce5a37db1a4557714ad4613365d

SHA1 hash:

c7814481a6f6e9ae841269dda1a9d533a6787318

Link:

https://www.unpac.me/results/e17a0ad5-0cb7-40ab-867e-413ad7acac3f/

SH256 hash:

7a77e2a5e9bdc18679e35b3012ad5a59d4fd0a7d40fd02d6a59149f6db0ebb28

MD5 hash:

1465d679a9e8a236d996ec21a1fd5098

SHA1 hash:

3ebb286e17795d86166d4d2102d62542bc001d06

Link:

https://www.unpac.me/results/e17a0ad5-0cb7-40ab-867e-413ad7acac3f/

SH256 hash:

748bdb2c8f1ad331fab247dffe915274bcdd9119a58b194b86cb9eef36b47803

MD5 hash:

14e83056f93b3007653c21b2547a27ad

SHA1 hash:

5725bdabdcf76792e80adb02e2a5b2da77e87d75

Link:

https://www.unpac.me/results/e17a0ad5-0cb7-40ab-867e-413ad7acac3f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/748bdb2c8f1ad331fab247dffe915274bcdd9119a58b194b86cb9eef36b47803

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.