MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 848489fd5b5b3a4db4d487ad8c94d05f73383bbaf8515603e48db61d0b4667ea. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 14


Intelligence 14 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 848489fd5b5b3a4db4d487ad8c94d05f73383bbaf8515603e48db61d0b4667ea
SHA3-384 hash: cf4767463616a6e1cba0a568cd263295aab32ef90d1c6fbe13faec5045a226af39305446fe69f61eb96f19fb2f5b50df
SHA1 hash: 9e7d7cdaadd56c5d3d18c2978b3f06e7bedfd382
MD5 hash: 0ab78998640ac5c15d27bd6b10c28f03
humanhash: alaska-texas-early-alanine
File name:proforma invoice@210604-inv187-03 .pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'002'496 bytes
First seen:2021-08-09 06:55:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:kKvirxYug+WTdloqlmrOSpawkbNah8zmj5rbp7u9iV8o0zz65xz61m+RPzIQWTBt:kKQmHfPPe+P7XP
Threatray 8'082 similar samples on MalwareBazaar
TLSH T1A1255D243AFA5019F173EF795FE4799ADA2FBBB33B07945D1050034A0633A81DD9293A
dhash icon 74f4888a8c8880a4 (8 x SnakeKeylogger, 2 x AgentTesla, 2 x Formbook)
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
proforma invoice@210604-inv187-03 .pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 06:57:29 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3e033569-553e-459f-91d8-f4db03d17845

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177461/
Detection(s):
Win.Malware.Fareit-9802638-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/15682b93-1576-45a4-b62e-e3911feb2e59
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/829081
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/848489fd5b5b3a4db4d487ad8c94d05f73383bbaf8515603e48db61d0b4667ea/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 02:19:41 UTC
AV detection:
16 of 46 (34.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qscit7k3lm5e3nguq6wyzfgql5ztqo527bivma7erw3b2c2gm7va._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e9b75e527544aa8db9880eb423b73f0edfb79995be585eb2d69c735068d082e
AgentTesla
19f2e87e5318afad4e60612a68cb610caa3306dab2004c56717224733d22baee
AgentTesla
3abd941389c4d76a2e36c0c4468aab3b891925225f63bd5e280dd1c986311099
AgentTesla
7257e33f527df5f7820d5dfd9022d923b5fb6cdef21d402c54fc9d3f3106f3a3
AgentTesla
a7420f4232ff0a3f530116adf7b2505c633a18aea175db967d97a6e35907ceea
AgentTesla
e9e38da2056d6738c63eceefe9351446dbfe92fd6d8651924875ef97af9efc1d
AgentTesla
f3bcb556566e427c803b36d6e3ec616e42f4829e409411eda585848217989c21
AgentTesla
fe002c6ea5fb08da2485b6ccfdc4f6cb32870afb57ae851b49aae5b3a74b5f80
AgentTesla
+ 8'072 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210809-vda7n7jyl2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/08c6af8f-0fed-4a99-8903-b0c9eb7ee1e1/
SH256 hash:
85a3064449ce7ed46614a6219ba8ecb0a5948633899c69453466b0cdfee2c8bd
MD5 hash:
76f2bbf05fb4e066067b313673319742
SHA1 hash:
f162dd9cb921d049684b42afd999285940ed8b65
Link:
https://www.unpac.me/results/08c6af8f-0fed-4a99-8903-b0c9eb7ee1e1/
SH256 hash:
e65d9f93b22339fbad7b5d8a32302be8c24bc7930587c1cea1c8ef9c36d669ef
MD5 hash:
4576ed2770430267133501089e35ae1d
SHA1 hash:
796fede1332e67f71abd8f54645589675361bf6f
Link:
https://www.unpac.me/results/08c6af8f-0fed-4a99-8903-b0c9eb7ee1e1/
SH256 hash:
848489fd5b5b3a4db4d487ad8c94d05f73383bbaf8515603e48db61d0b4667ea
MD5 hash:
0ab78998640ac5c15d27bd6b10c28f03
SHA1 hash:
9e7d7cdaadd56c5d3d18c2978b3f06e7bedfd382
Link:
https://www.unpac.me/results/08c6af8f-0fed-4a99-8903-b0c9eb7ee1e1/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/848489fd5b5b/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
iSpy Keylogger
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/848489fd5b5b3a4db4d487ad8c94d05f73383bbaf8515603e48db61d0b4667ea

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
Create hunting rule
Author:ditekSHen
Description:Detects executables containing URLs to raw contents of a Github gist
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 848489fd5b5b3a4db4d487ad8c94d05f73383bbaf8515603e48db61d0b4667ea

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177461/

Comments