MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e
SHA3-384 hash: 282b15c6900ead614dbb991b323503a5f14a705b44986c85ae3879bef9b873ad676b36a7bf1b1539ed5a54bc712f0e6b
SHA1 hash: 03755f9b2b70493b0a17b393e6d128497f6f0420
MD5 hash: 86584708277a7d2347424d14fd83f2b8
humanhash: georgia-pizza-arizona-idaho
File name:RFQ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:782'336 bytes
First seen:2020-10-19 06:40:33 UTC
Last seen:2020-10-19 08:24:28 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:axp/YKkhmGA1hQ6PwZxajyZGf8yw/QIj4FfSsc+kM0s9qtKr+s4oHFNQNcp:axGK0mGwh/PwZ8jdf8y2j4YjrM0skI6Q
Threatray 629 similar samples on MalwareBazaar
TLSH 5AF49D1462842F58E07D97325260145093F6BC42CB39D94EBDE83AD93E72FC2C777A9A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: Kim Sales <ahkn@cyber.net.pk>
Reply-To: vinordraieng@gmail.com, ah.kn@cyber.net.pk
Subject: RFQ : 75 - 20
Attachment: RFQ.pdf.z (contains "RFQ.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72750/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.21720.16723.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/494894
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 22:56:25 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ufbcu2cvfinjppoghssfinjnd7lyabllhbmc474cx4jpn7bdle7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
13f1fde2f8426f9ee2addd7ff3a710d9fb7042d875fdf3f0e8e080030da53b83
AgentTesla
1b9cbd60298e5be7b6c5813a3c03bd423ae73364049848c44145b9c079fd0adc
AgentTesla
2035071dea13b48db2cc9248961f3f55a41e60b0b346f190a3a69b75670b99bc
AgentTesla
2a24ffa6d726a44c5622fde2eac0f0e770063abf5bcca8f9b33c097677aed2a9
AgentTesla
4636055b5170ddb11d94a466c0c93e57ad40caf68a036274bdf2ded620a22bce
AgentTesla
79402b00f9e23e5dbb45fc15a079b9308a0a890c7955d0e71e5d5489d9cdaca5
AgentTesla
b5ba143b36eb77a1899c07ef016155b3b7ef73b83456cadf534245896360b902
AgentTesla
b84aa5ba2bf1c040d2f318a7f5ff77ee7e8e98a33c458f32c737106568549879
AgentTesla
ea8e298e37b422ef62a77c300ee7f60fba2336f457c3b70c135b981025d840c3
AgentTesla
fd1f86d98d28f8e9ae73acf4609e8cc0e669e97495c7d9bf679151b47432e005
AgentTesla
+ 619 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201019-cn7mzmlk7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
a4fb4edb8473006880aefa0467fdb851d894d170c48a9c5718548e85c1a2ccbf
MD5 hash:
25a78ed1663265a9c084b8e077921e0d
SHA1 hash:
508965e24160e9de9979f72218c6435900554d96
Link:
https://www.unpac.me/results/f5c8cfc6-cde5-4b05-aa75-396dec1243bf/
SH256 hash:
0d150deb6b53043b482e10c18c936cf5398c12fbff2c1f30a2654e1895b3116b
MD5 hash:
e75cf1e18f319229839c2e248ad18f9b
SHA1 hash:
6d1b4c4a2e8e8198f040d64a80f1144913c0e31e
Link:
https://www.unpac.me/results/f5c8cfc6-cde5-4b05-aa75-396dec1243bf/
SH256 hash:
3bddcd915c81ab2898e2b3046fab53156b804cda462c9807f901e2454da08cbf
MD5 hash:
c9b08da950a760be468be5079a4312fb
SHA1 hash:
e3bae2671908f055b47715bfed5f9da13b16c48e
Link:
https://www.unpac.me/results/f5c8cfc6-cde5-4b05-aa75-396dec1243bf/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/f5c8cfc6-cde5-4b05-aa75-396dec1243bf/
SH256 hash:
a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e
MD5 hash:
86584708277a7d2347424d14fd83f2b8
SHA1 hash:
03755f9b2b70493b0a17b393e6d128497f6f0420
Link:
https://www.unpac.me/results/f5c8cfc6-cde5-4b05-aa75-396dec1243bf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z bfd060b9e861e9a202516bb5a9fbc487be5f0007caf210c7ea3b89f31f1c51bb

AgentTesla

Executable exe a1422a68552a1a97bdc63ca454352d1fd780056b38582e7f82bf12f6fc23593e

(this sample)

  
Dropped by
MD5 0b474b1052489a56f8a13f14f8412353
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72750/
  
Dropped by
SHA256 bfd060b9e861e9a202516bb5a9fbc487be5f0007caf210c7ea3b89f31f1c51bb

Comments