MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9fd1365171b6855e5859a522a4642ae8c558e26ac2792a11b19a6a0ed8361c7b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	9fd1365171b6855e5859a522a4642ae8c558e26ac2792a11b19a6a0ed8361c7b
SHA3-384 hash:	696f630f2d1c4887f9a6b7869d94441fa49ca16300db07fbb4093055e47361be1a3ffda35bd87ab986b1e77d9af4e11d
SHA1 hash:	fdbdbf09813069562e861f324de8e3cdba80b9b0
MD5 hash:	f59da0e1d30df4e697a8fd4e2a9d4837
humanhash:	double-mars-muppet-single
File name:	98650107.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	495'616 bytes
First seen:	2020-11-26 06:45:41 UTC
Last seen:	2020-11-26 08:42:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	6144:9G9srNUcK26/DgHI50asAexqsrDgzXXzLrd2g+GXxN5ZGIx4jwE:IWaLp/DgHjjxzgDXzh
Threatray	1'511 similar samples on MalwareBazaar
TLSH	CFB44A8577502F2CFA1F0F36DC502E64106FAF967D99F3CE69907C027A726E1A521943
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.indofarm.in
Sending IP: 104.237.51.71
From: Kristina Rosalia <k.gacova@svemek.mk>
Subject: Re: Re: Re: Overdue Proforma Invoice
Attachment: 98650107.img (contains "98650107.pdf.exe")

AgentTesla SMTP exfil server:
mail.orisinlog.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

147

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Using the Windows Management Instrumentation requests

DNS request

Sending a custom TCP request

Launching the default Windows debugger (dwwin.exe)

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/547777

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

May check the online IP address of the machine

Modifies the hosts file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/9fd1365171b6855e5859a522a4642ae8c558e26ac2792a11b19a6a0ed8361c7b/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2020-11-26 06:46:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=t7itmulrw2cv4wczuurkizbk5dcvrytkyj4suenrtjva5wbwdr5q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2565e3190558400fb85b0389e7aadf850a4c32d2b7b7d09e37820b8ad361c39a

AgentTesla

3b8067fda3a018631e93bcc5e5ab73c56adc91c4964c45c092d42f2cc9acea6e

AgentTesla

4c67722d6cbbdf3ca55c350488c348f1ccc5177727bd008c10856b16c8510b69

AgentTesla

54297a66291e2f879e2eaae44cb06032719d69299968e28c237f6315fe1d7eb1

AgentTesla

642dfced9844802f4388b3c2f30e08d9a1c94f2507e7277d900756b284d37ca1

AgentTesla

7323b8d5a71d744ada47370e02c8d86eb551bacb6881aee27ed7ec61cc22e068

AgentTesla

a97528499bee868023a6898c85da34f9ed73a5a12b8a3a01817a88d82a8c5641

AgentTesla

da4e120e4586c277edfa8a75a76f502a53c60594caee8b0bdf452220c9c61efb

AgentTesla

e4a41177193fe8cd0c6113402e16b6be355a08baed17e525019ff02ffd8884a8

AgentTesla

+ 1'501 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201126-f2mmnqg6he/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Unpacked files

SH256 hash:

9fd1365171b6855e5859a522a4642ae8c558e26ac2792a11b19a6a0ed8361c7b

MD5 hash:

f59da0e1d30df4e697a8fd4e2a9d4837

SHA1 hash:

fdbdbf09813069562e861f324de8e3cdba80b9b0

Link:

https://www.unpac.me/results/b99d5476-7f34-4003-9323-56e2682305f4/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.