MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 80c4f287136c2fef0b36fdc744f31bc4e6e1b2ad7185e5074ea655f00e1e170d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 80c4f287136c2fef0b36fdc744f31bc4e6e1b2ad7185e5074ea655f00e1e170d
SHA3-384 hash: db8522ae9e3345dcc0ec8186836cf77b9b375628cc2b2245f69e858ac116fd161de7fd6fa97d03790f7f5d4cb83e29cc
SHA1 hash: 45be7e1c822fd327713b69f3c974edf7a8597655
MD5 hash: 4d8c134cf12bc3e9e4fad95a143aeb6b
humanhash: missouri-kansas-autumn-five
File name:RFQ-PO_9475909HG7_Sample&Specifications,pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:776'704 bytes
First seen:2020-11-04 01:29:15 UTC
Last seen:2020-11-04 03:50:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:NGH64haGUH9Suk7q4sqRmuKuQrFkiVTRskO32fRGwI7DqapDijh/RBxsWqAvBfnl:NGH64hGsuQq4xRmuKRecRU32J5SDzhSJ
Threatray 936 similar samples on MalwareBazaar
TLSH 8DF401836BDDFB98D66B3B315B7142584B63FA91663FC71F015CD08C88D2A84CEA17A1
Reporter Anonymous
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82160/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.bc.4418.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/519751
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308976 Sample: RFQ-PO_9475909HG7_Sample&Sp... Startdate: 04/11/2020 Architecture: WINDOWS Score: 100 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 Yara detected AgentTesla 2->37 39 9 other signatures 2->39 7 RFQ-PO_9475909HG7_Sample&Specifications,pdf.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\PhiBZrGaz.exe, PE32 7->19 dropped 21 C:\Users\...\PhiBZrGaz.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp4EA2.tmp, XML 7->23 dropped 25 RFQ-PO_9475909HG7_...cations,pdf.exe.log, ASCII 7->25 dropped 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 47 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->47 11 RFQ-PO_9475909HG7_Sample&Specifications,pdf.exe 15 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.wowwow.com.sg 11->27 29 wowwow.com.sg 203.175.162.60, 49740, 49741, 587 SGGS-AS-APSGGSSG Singapore 11->29 31 3 other IPs or domains 11->31 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 Tries to harvest and steal ftp login credentials 11->53 55 Tries to harvest and steal browser information (history, passwords, etc) 11->55 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/80c4f287136c2fef0b36fdc744f31bc4e6e1b2ad7185e5074ea655f00e1e170d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 01:31:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qdcpfbytnqx66czw7xduj4y3yttodmvnogc6kb2ouzk7adq6c4gq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01330ada2211171d1bb5db977363a94cea239c455ea8c2fabea401a29b1c8143
AgentTesla
32a780401adf987b558a2c7c4d1c9786360adb0a463d576ee01c1c71bc5fe9af
AgentTesla
3944c8a551e1b51be2f29adf187b63497c7dab93f88755bc086f4e7fc30a759d
AgentTesla
3ce4695af91401e898d1819f320779c68bf2bb8da493f222590ab537aa272c18
AgentTesla
44f7f174bfb0ec27e8dab09f73528402bbd263d0ffd4eca4f42c34c999418231
AgentTesla
73884bc59571b3c7199849dcdfb8330b57435a822c320d1913eb990db842fbbf
AgentTesla
786e84224f6784b9abd40ae7ebc9ffeeaf748a3e4d810681aab7d308f786e857
AgentTesla
a185be0edc53aacf866542523d9f2627a21cdcbcf79ed0fcfa1314ea30446ec4
AgentTesla
a7df178348dd3563a0a0a44ec82af4b6bc15bf352337ef690fac078cfee6ec49
AgentTesla
fcd3fc0e0c174c30b7e47217e65c18db028d52f2ef52c5f1b387b3c27f36b5ab
AgentTesla
+ 926 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201104-d57sqyl8hs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
80c4f287136c2fef0b36fdc744f31bc4e6e1b2ad7185e5074ea655f00e1e170d
MD5 hash:
4d8c134cf12bc3e9e4fad95a143aeb6b
SHA1 hash:
45be7e1c822fd327713b69f3c974edf7a8597655
Link:
https://www.unpac.me/results/5e74d5a0-89b4-43ea-9cfb-76e691de9e41/
SH256 hash:
f3414700d190da07c771275b1d16de5602f4953839976bb811cc2ba42b543dc8
MD5 hash:
65056a3e35b8c9aa3b994c5c52461083
SHA1 hash:
09e0f5b5d8689d0ef8e1f8193f4dc605d678af0a
Link:
https://www.unpac.me/results/5e74d5a0-89b4-43ea-9cfb-76e691de9e41/
SH256 hash:
29cda0313bc5efaf5f3ff97173ed1b35fa9b5e98bf4540742742d4129c5bd021
MD5 hash:
bbba6567f61e95a24a1502b4287dc4aa
SHA1 hash:
148b6e0fea2df21d9aef3bbf5b3b58fd80cde426
Link:
https://www.unpac.me/results/5e74d5a0-89b4-43ea-9cfb-76e691de9e41/
SH256 hash:
61237a19847c53ce084b7d147a94e5ec030a1885ed0611c97e871cc383358984
MD5 hash:
8c5d66ed8ba7357c3d563a417b4fb2c0
SHA1 hash:
31e313a896948ab497d47f9fb00265bd595b5a73
Link:
https://www.unpac.me/results/5e74d5a0-89b4-43ea-9cfb-76e691de9e41/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/5e74d5a0-89b4-43ea-9cfb-76e691de9e41/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/82160/

Comments