MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8f797837350e153c8c1f0f81a9f2b2159e10fa1460a24825e9e59a6c4caf4853. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	8f797837350e153c8c1f0f81a9f2b2159e10fa1460a24825e9e59a6c4caf4853
SHA3-384 hash:	68392bd84024873296a31aca42cf5189b5d32ef5f962f0a8a90304210d812b09c0eebdb1f8e216bbe2af9f82100694e6
SHA1 hash:	fcf073411d333267c2bda6d6159c7a1789288eb4
MD5 hash:	4399d77a4525d0dffda81a51a3fe7771
humanhash:	papa-triple-south-alanine
File name:	RFQ 324DE12.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	638'976 bytes
First seen:	2020-12-07 14:14:59 UTC
Last seen:	2020-12-07 15:49:35 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:zLxiejetgQ4iznbpMYhY4gmvwzEa7MIGoHQxbZ7dRg:zLSt94AnbpRhYzQwQqMI1wvjg
Threatray	1'711 similar samples on MalwareBazaar
TLSH	A1D4AE353E602E93D6BACBF250207290CFB5662F696DE2DC6CC211DE45F6F104989E63
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

158

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

RFQ 324DE12.exe

Verdict:

Suspicious activity

Analysis date:

2020-12-07 14:24:15 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/435b1da8-b465-43ec-b4b1-00698ca5ecb8

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/107036/

Detection(s):

SecuriteInfo.com.Variant.Bulz.251429.23948.11422.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/556869

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8f797837350e153c8c1f0f81a9f2b2159e10fa1460a24825e9e59a6c4caf4853/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-07 03:03:49 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=r54xqnzvbyktzda7b6a2t4vscwpbb6qumcreqjpj4wngytfpjbjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

20b9ec5a56219d5254b07c32c45c34eac8017ed9cb8335eb2c6f5312b9ea44ff

AgentTesla

2aee5eb975d16feb1036dbf8298c4b6dc6869de8b44065caf8101a1f40b3b6ea

AgentTesla

33bf5c7e008702144c8ec88d5e22c80609463864658612f818d43ca963a5d156

AgentTesla

45db04125ffed825431a746e397c7c1fb4fb3ccf8768701d791847df9e9d09ee

AgentTesla

772d316873673ace45da234f8820d736d2f18c55eeab2b84a471dbfdaba963b6

AgentTesla

c69e882c771b1818558a97832a4ffc97db0ca2bdca969abcae1b1b9094123b0b

AgentTesla

d79ac65fba80d34f0012d82182dd67ca707475ff4628bf5012d2a3d4db7d413b

AgentTesla

d809df216f28368e1bc3de96702139476f8f2364d2d6e82dec7a540815bc83c0

AgentTesla

e01cfde284baf9742419669d25007c6db1da8a5895b8547c53b51113ee01f53d

AgentTesla

+ 1'701 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201207-g6wkjzlyjn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

8f797837350e153c8c1f0f81a9f2b2159e10fa1460a24825e9e59a6c4caf4853

MD5 hash:

4399d77a4525d0dffda81a51a3fe7771

SHA1 hash:

fcf073411d333267c2bda6d6159c7a1789288eb4

Link:

https://www.unpac.me/results/f93975d1-df79-4733-bcb2-5824dc13680f/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/f93975d1-df79-4733-bcb2-5824dc13680f/

SH256 hash:

4785aa6fc93820cd4e729cca409ba7fd803108b578a3167efb713d12364f714b

MD5 hash:

901f57d92ceb6b151a692bcaf6aba1aa

SHA1 hash:

47ebad5043bbfcc7a905d964e86de9fef32d6195

Link:

https://www.unpac.me/results/f93975d1-df79-4733-bcb2-5824dc13680f/

SH256 hash:

80875c65480365c1b8aee779fe277652bc775c6c00b66a5aa1e81bfc0855cc98

MD5 hash:

e2eec2e0b8a312cdaeca8f65e71c7694

SHA1 hash:

eea5ea030b8a277561a445f1c4a513a26585a575

Link:

https://www.unpac.me/results/f93975d1-df79-4733-bcb2-5824dc13680f/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

MassLogger

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8f797837350e153c8c1f0f81a9f2b2159e10fa1460a24825e9e59a6c4caf4853

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	SUSP_Reversed_Base64_Encoded_EXE Create hunting rule
Author:	Florian Roth
Description:	Detects an base64 encoded executable with reversed characters
Reference:	Internal Research

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/107036/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample