MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7c18807c7588ab38168e53f2b32aeb41c08af34c25c89250ef627a0c7e090393. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	7c18807c7588ab38168e53f2b32aeb41c08af34c25c89250ef627a0c7e090393
SHA3-384 hash:	4fdbc4065e05a9e0df1a4aa2d7e14a9cd403add941ec6d8c9478a93f44ce9b192199ad57ed4fd9afa275f601ebb83556
SHA1 hash:	7955a4c9da2ff48fab9627e1ecd4bb7a0e1d15ed
MD5 hash:	a24e23057b9c6851d64b0d88f625a502
humanhash:	winner-artist-ten-burger
File name:	Order # DFD333GHYT59359.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'672'704 bytes
First seen:	2020-08-08 17:58:29 UTC
Last seen:	2020-08-08 18:55:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a92b73721d2c6f021be1999cde5f5828 (2 x AgentTesla, 1 x HawkEye)
ssdeep	24576:2+tf+v9o5bIOht4Bd3txgKMPav/pMbmISXM5TvHK6zGbY6NUYCFIvGvMTiEjh2yp:2GriOcbdDU0dvbmEjh2yzoE9bx
Threatray	11'714 similar samples on MalwareBazaar
TLSH	EF755C21BD828437D0723A3C9D1A66589F29FF342D28944A7ADCFE5F4E39640392D2D7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: sv2.webaware.co.za
Sending IP: 129.232.157.135
From: Mr D Food Orders <orders@mrdfood.co.za>
Subject: Receipt for order accepted by McDonald's Order: #DFD33359359
Attachment: Order DFD333GHYT59359.10rar.rar (contains "Order # DFD333GHYT59359.exe")

AgentTesla SMTP exfil server:
mail.dbbrokers.co.za:587

Intelligence

File Origin

# of uploads :

# of downloads :

107

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/42211/

Detection(s):

SecuriteInfo.com.Variant.Zusy.310798.25007.22775.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/415893

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7c18807c7588ab38168e53f2b32aeb41c08af34c25c89250ef627a0c7e090393/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-08 18:00:09 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pqmia7dvrcvtqfuokpzlgkxlihaiv42mexejeuhpmj5ay7qjaojq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

1042eea9861e1ac601f162a2ad3da77a4ee701eb9877cdc60d78cf88bfbc2a58

AgentTesla

46356915a76c8b5b13e493440b38abc7bf9f795728bd8b5bc2bc4ef2bc251722

AgentTesla

731d6bd52db80b3c422dc2e72e9c17adf0018fe1a392e67d28f642d96c02411e

AgentTesla

7c6da3c6cdc2c4ba881925e305c2c2044105546e0b7a8ca1d8c523d8584be05a

AgentTesla

bcb3a08ff39258f04e54ccb4ec531754fb2ece9755d92885f7f5c298d29897e4

AgentTesla

bcfb478a32ff109678cbd5fc380ba87be6861abd2cfde7c593bbaaab185d47fe

AgentTesla

c66b164cb1120ffc2e7cf33e6aae762ff03e95902a7ec0066c70b3014edf8a37

AgentTesla

cc71aaff5556a4053df2846a191ff63e54b3b10df75b98a3d8d5edc4c02c7d1b

AgentTesla

df6e5a970596d544e6f644924cafadda5a596e2337621ea98829bd36801fa02c

AgentTesla

+ 11'704 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200808-g29vbwc8wa/

Behaviour

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar