MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
SHA3-384 hash: dcd60f618d33ca05b5b2a690cfbd0bff691180c646e6bce7d3190a1641d75b03b7b43a29d9f95188ea3ff9a82558e175
SHA1 hash: 622abae8982fc63e6c93f5e3465961ae5a219191
MD5 hash: 751993dc0898ed185eefc4142e1f2da6
humanhash: wolfram-crazy-table-alanine
File name:RFQ HLG 21565 HLG SLB ENI MGS BGCS 3 5 RFQ PROJECT OPEN QUOTE HLG 2140 PSI OCT Rev 0 201.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:861'696 bytes
First seen:2020-11-17 04:50:44 UTC
Last seen:2020-11-17 06:56:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:5Dmly2zIFmxXUMgM0jg7y+Uhnnh+8zlNm8SpoOfPoP9NK384:03zIysVjg2Rxnk8zls8S6OfPoP239
Threatray 1'338 similar samples on MalwareBazaar
TLSH B5059D2522695A12DC7F333F745DD800A3E0BD5F4732C1AE6FA4BF993A93BA1442534A
Reporter Anonymous
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
112
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.cc.465.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/538902
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 318543 Sample: RFQ HLG 21565 HLG SLB ENI M... Startdate: 17/11/2020 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 11 other signatures 2->37 7 RFQ HLG 21565 HLG SLB ENI MGS BGCS 3 5 RFQ PROJECT OPEN QUOTE HLG 2140 PSI OCT Rev 0 201.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\tPVZcsussHbc.exe, PE32 7->19 dropped 21 C:\Users\...\tPVZcsussHbc.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp7557.tmp, XML 7->23 dropped 25 RFQ HLG 21565 HLG ...T Rev 0 201.exe.log, ASCII 7->25 dropped 39 Injects a PE file into a foreign processes 7->39 11 RFQ HLG 21565 HLG SLB ENI MGS BGCS 3 5 RFQ PROJECT OPEN QUOTE HLG 2140 PSI OCT Rev 0 201.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.deahwaco.com 11->27 29 us2.smtp.mailhostbox.com 208.91.199.225, 49771, 49772, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->29 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->41 43 Tries to steal Mail credentials (via file access) 11->43 45 Tries to harvest and steal ftp login credentials 11->45 47 Tries to harvest and steal browser information (history, passwords, etc) 11->47 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 02:04:23 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s7dt5mt7czgqcaqn4vjrzfvnwmc37xmon3dspp5pmwrpu6ycmofa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a41900b78aa8ad61d42ee6cf76f4045093ea691d6a0e0ab6d535f6bb6ddb907
AgentTesla
19a8a4216e0f95f9c4ad7d8318599a9e91791867e3b757b16eae9b2f1e38a143
AgentTesla
1e3772fb826af045d4d6aa5943be1c66bfca44858adaee941606ebce680373d1
AgentTesla
31705dc52cd25b1a406341a071401d39833225a184c0918214edf72cd3a77a57
AgentTesla
639aa73ed2700349b87c9a12879447b219dfd137f60f50611588e9ced7726392
AgentTesla
aa7bb4cef770d1c8fe06f5e4d7a0bff3c2947df233dd5c78f731a154c07f5013
AgentTesla
ace15b4d4120396673e1b09fc53278527fcb465235c2ad23403fd24d08ebd460
AgentTesla
c2c8dd06ab505a3989373e72a3f565054a63716424f559592859024d2bade1d7
AgentTesla
c4d89130c6dd4e07b70510bf0397f775abacf0b8f1cf5a01f2461a266bfdaaf3
AgentTesla
fdb7a6062629817446b0ca39ab05f73ecda6a5b145f416b3b485856e5052e7c1
AgentTesla
+ 1'328 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201117-b43tjjgcb2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
97c73eb27f164d01020de5531c96adb305bfdd8e6ec727bfaf65a2fa7b02638a
MD5 hash:
751993dc0898ed185eefc4142e1f2da6
SHA1 hash:
622abae8982fc63e6c93f5e3465961ae5a219191
Link:
https://www.unpac.me/results/50440bda-1b91-4e6e-9f1b-3e9f1ae05adc/
SH256 hash:
2f845e0033dc8144028c2132ed9e419f113712bff22fbe2e9625dc7411ac180a
MD5 hash:
f9305282debaa5655aede4e706ddcaf9
SHA1 hash:
19a05d30a0975b722cb2a897c531e0baa60f0b1c
Link:
https://www.unpac.me/results/50440bda-1b91-4e6e-9f1b-3e9f1ae05adc/
SH256 hash:
c8671a87d685f2354d96f3cfcad530dfa5f3ec535a0f5ec14940d81fb857813b
MD5 hash:
b5358f677850210361f573c7d249c258
SHA1 hash:
215e06e319515d779efa88f7c05b343d6ec3f6a5
Link:
https://www.unpac.me/results/50440bda-1b91-4e6e-9f1b-3e9f1ae05adc/
SH256 hash:
e7a3b2c60b11467fb32a93d2220758b5326463c467bb93553ff5904d936f9250
MD5 hash:
834f2fa7cdcd850a1eff0c57faa9c0d5
SHA1 hash:
21fb8027dca03b4108e5aaabc9276fdaa19546ae
Link:
https://www.unpac.me/results/50440bda-1b91-4e6e-9f1b-3e9f1ae05adc/
SH256 hash:
c6fcf5d515d56cf746b4c4aa4695f11e9ad7f6063a96cda810bf39dc47c5a7a0
MD5 hash:
47509d9db24c975e55c287afdc459fad
SHA1 hash:
4f1f893555c985d7cbba731cf1fdbf49c6ecf793
Link:
https://www.unpac.me/results/50440bda-1b91-4e6e-9f1b-3e9f1ae05adc/
SH256 hash:
8dbdfeaa88e7385ed46d1008e8174bb6133ebd605b5c958bb995383f3da062fc
MD5 hash:
4b5ba8bedbdc70827e4beaa3d14a9a91
SHA1 hash:
89169aefcb3d9adb7fba9e37e1981bce7fc356b1
Link:
https://www.unpac.me/results/50440bda-1b91-4e6e-9f1b-3e9f1ae05adc/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Comments