MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 812f79b6a6beba3214cee4b325afb9c5483100aa082bb2e90ea7a6ce835661a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	812f79b6a6beba3214cee4b325afb9c5483100aa082bb2e90ea7a6ce835661a0
SHA3-384 hash:	ea2c4dfaf4a6f684824e63721e26d4f080351ada625a86330a754363c87567195f403da106d483e13c3c8288701fdbc5
SHA1 hash:	7021312ea41506cd4ca5af4939496782abf670fe
MD5 hash:	5cc4644ce55627f4bfd2c021063f3241
humanhash:	washington-lithium-papa-stream
File name:	HSBC Payment Advice_pdf.gz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	777'216 bytes
First seen:	2020-07-16 07:49:40 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	16b3dd4ab50d24202f43f84f949a698b (3 x AgentTesla)
ssdeep	12288:I45y89CxgV6xWZpLy854krNVEAeXmqcq8oogBb5+rVa9azM:JYTxkFG8xrNWXmqcnrVyX
Threatray	11'858 similar samples on MalwareBazaar
TLSH	10F4AF62F2F05432C16726389C1B97B8AD35BD1039689E476BF47C4CAF79781392A2D3
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26470/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching the process to change network settings

Launching a service

Creating a file

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389405

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/812f79b6a6beba3214cee4b325afb9c5483100aa082bb2e90ea7a6ce835661a0/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-16 07:50:34 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=qexxtnvgx25defgo4szsll5zyvedcafkbav3f2iou6tm5a2wmgqa._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

53f84a636705d923e6166e6924f8c548ac2086d88e24f8ad823a5f186ddb0091

AgentTesla

59f912d2e25dd9c7ad3414a2a5fefaee8153f0d20cd89ccd96618e8f367facc4

AgentTesla

74b92fc96452dd15b76cef9ab688fae3f44d580953a0a4533430a526543ccddf

AgentTesla

9bce611301f45b690f323467856374363983aa4c428c1e3cdb763f6e299bb419

AgentTesla

b3a27e158356620e607a47b1ec0ba508a7526d6dcda53de87a40f0e9c5397cc2

AgentTesla

b8593f4d7560ce53b3ccc9a84da05bb783ca5908fdb5a537bb274bef749ae282

AgentTesla

cebaa029ac534787f40aacdac6e5ad2383df34643cba1e92de862c081ce872f6

AgentTesla

da1be039f11d0a25904fba123afca2656f7f4a423526b2b5c8780315e1053b5c

AgentTesla

db23aa997a6d911f35d982d7f65aa388e701edda71ad1d34adcecd680e0039e2

AgentTesla

+ 11'848 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx persistence keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200716-3w4qkhlw8j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Modifies service

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar