MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8977966e59f3f3634c2b9d2677562020436f21e59d9be58415984398507584dd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	8977966e59f3f3634c2b9d2677562020436f21e59d9be58415984398507584dd
SHA3-384 hash:	f429ead073a5e0434d47f2d5f37bdfbcf2dddf7896446aff38440d4c957b257fe45787c07e78d68b033a6fb6c4a40db0
SHA1 hash:	c62b8b888f1812fdab007d03d5fd3cb052a2d0b4
MD5 hash:	67b9e4c6b9f3d7b8e94c036241dad011
humanhash:	eighteen-yellow-mobile-colorado
File name:	RFQ_114902020.bin
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'298'698 bytes
First seen:	2020-07-15 07:12:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep	24576:bNA3R5drXdFdbw54/OJqRvo/jdrXL7lIoZew5+o0BaOH29jZFQYcHO6lIFAY:G5NdHsJrXnOoZes+bBf29jZ63iF5
Threatray	10'821 similar samples on MalwareBazaar
TLSH	37551202BFC684B2D4721D325C76A320A97CBC741F71CB5EB7C9595CC971282A622FA7
Reporter	JAMESWT_WT
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/25886/

Detection(s):

Win.Malware.Autoit-7599063-0

SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Launching a process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Launching a service

Stealing user critical data

Unauthorized injection to a system process

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8977966e59f3f3634c2b9d2677562020436f21e59d9be58415984398507584dd/

Threat name:

Win32.Infostealer.Agensla

Status:

Malicious

First seen:

2020-07-15 04:19:52 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 31 (80.65%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=rf3zm3sz6pzwgtbltuthovraebbw6ipftwn6lbavtbbzqudvqtoq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

23005e23c85ef953237d9107f4542a08afc83f4d921191b78cc983f7aebfea21

AgentTesla

251c55b7c7c02eec9a87eca94bb01f653317ef5d8278aeb2b511194d7057a675

AgentTesla

38701fe4b63d1436ba2e26cc7e268327299b58bcccbf074bfb2cbbcf57ceb2ea

AgentTesla

4cc5f468994fd62cc832482404cfc7e45232f059b9d355d3df41535a170b3470

AgentTesla

7943dd3d1f4215ee40123ab13edc945dccd0ff9d3e9cddf372ff8ecbffe62635

AgentTesla

9e1de81ecb080a9d970953a62de72b6a83cc61776409098f1429c11032cbfa14

AgentTesla

a72a48f073453a56e214a24edf8a203221b77bd1989b19896202a0b9f8f8b56c

AgentTesla

cd8770808daf4f97a339438001f0ac7dab0853feb07134e6f7bb2fc3db9581c0

AgentTesla

d35f40a630b2e4b24ec76c354e1e66d927afe339aaba45ff3c750ed52193c910

AgentTesla

+ 10'811 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200715-1b7s1xwx9x/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/25886/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample