MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87f83df5fdaabe9b71e77fe26640c185b8312cc5cbd34ebcc6dc047d72885299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	87f83df5fdaabe9b71e77fe26640c185b8312cc5cbd34ebcc6dc047d72885299
SHA3-384 hash:	d5c9206890f0ae0e6d54e011982736bfc07613065f8eb971bc1c083af651bd4357b3e2122105f44cfd2bbebcdfbdc111
SHA1 hash:	40cefc5b796b12c4efdb939c2ddec50a689af207
MD5 hash:	1d3dd0cfe038d673a3d13e27340581aa
humanhash:	sierra-jersey-mike-gee
File name:	Your Copy Of Invoice CHNR000076498 November 2020_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	826'880 bytes
First seen:	2020-11-09 14:14:57 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:FPBQicvXsmI3ioa7fqJDregbYAQ3De+Dcx6//PHVuwK7RAy+oxmDmS57hBgr1:OvXg3ioa7fq5rT83og//vK7Rb+357hQ
Threatray	1'043 similar samples on MalwareBazaar
TLSH	EC058CA546658F5FD53903768010D24053F582F393EAEBD63DC0A8FEAAC9B40EB171DA
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/526460

Signature

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/87f83df5fdaabe9b71e77fe26640c185b8312cc5cbd34ebcc6dc047d72885299/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-09 05:18:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=q74d35p5vk7jw4php7rgmqgbqw4dclgfzpju5pgg3qch24uikkmq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

05edc3fe4fb4bfa22e5e3ce66e66a4f258adc1aebbb26142bafd1a9264feb4b9

AgentTesla

20dbea65f9ea5d713ead877a8fdca2bb606af820520ea99fafcef39fc7652ce2

AgentTesla

2565e3190558400fb85b0389e7aadf850a4c32d2b7b7d09e37820b8ad361c39a

AgentTesla

3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e

AgentTesla

642dfced9844802f4388b3c2f30e08d9a1c94f2507e7277d900756b284d37ca1

AgentTesla

6b75182568a1cf2fef851977be460536fe4a0af4aaf05b41a253c53f2af276fc

AgentTesla

9314cdd0369d3b1a01b3b332e487f7c0744bd289c086855eff62f88f0ebe139d

AgentTesla

a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641

AgentTesla

e4a41177193fe8cd0c6113402e16b6be355a08baed17e525019ff02ffd8884a8

AgentTesla

+ 1'033 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201109-3d22ddxar2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample