MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792
SHA3-384 hash: 957e7f0972f09571b462f807bc9ba272cb8aeaabe9ee1aa4658eadb6be13ca82dfca202597b8d1b72f4f847e49651294
SHA1 hash: cb493d07e6e9128dc3b053c29e6629b4b8473fbd
MD5 hash: 9c8490fa8665ebc96dbcfb6bf1dca024
humanhash: kansas-enemy-bacon-seven
File name:RFQ-QUOTE B1018530.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:203'008 bytes
First seen:2020-10-12 09:53:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 3072:LbxHWQonno6Sw+hdVOFyS6gDvSyHCCb0f0DaKadazaga/aWZRf4uY:ZtPS6T+Afxm
Threatray 462 similar samples on MalwareBazaar
TLSH CB146705708AFCA5DEF5003011D5D67861F26AFA9810E2782DF28DD8FF86E51278B5AF
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: kontec.ae
Sending IP: 64.44.57.18
From: Abdullah Hamad Kontec Trading<info@kontec.ae>
Subject: REQUEST FOR QUOTATION -QUOTE B1018530
Attachment: RFQ-QUOTE B1018530.pdf.iso (contains "RFQ-QUOTE B1018530.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70055/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488289
Signature
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296599 Sample: RFQ-QUOTE B1018530.pdf.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 28 Multi AV Scanner detection for submitted file 2->28 30 Yara detected AgentTesla 2->30 32 Sigma detected: Suspicious Double Extension 2->32 34 8 other signatures 2->34 7 RFQ-QUOTE B1018530.pdf.exe 15 2 2->7         started        process3 dnsIp4 22 us-east-1.route-1.000webhost.awex.io 145.14.144.78, 443, 49730 AWEXUS Netherlands 7->22 24 marketingeller.000webhostapp.com 7->24 36 Hides threads from debuggers 7->36 38 Injects a PE file into a foreign processes 7->38 11 WerFault.exe 23 9 7->11         started        14 timeout.exe 1 7->14         started        16 RFQ-QUOTE B1018530.pdf.exe 2 7->16         started        18 RFQ-QUOTE B1018530.pdf.exe 7->18         started        signatures5 process6 dnsIp7 26 192.168.2.1 unknown unknown 11->26 20 conhost.exe 14->20         started        process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792/
Threat name:
ByteCode-MSIL.Trojan.Injuke
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 08:41:21 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yrlor6s42slpckjyocebzziffipcrcw2ndkbjxssdvskpatze6ja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0afff32555fbbdc301d9ffc446e9bebe445d3b186a80bcdbf54342c61e4b4a4d
AgentTesla
264ad4ce9b883fe3ff074ec43f796c1a496da7647bad4bd70c3c905b2dc22711
AgentTesla
459838dd5e98a4fe8c51d2d0c3c7850319b1a13cb41f568aa0cf6cb0bba6e9ef
AgentTesla
6312da10a200d199338d238923be0a3f9ae4fa4ee20fde05d3875e22fe7a66bc
AgentTesla
66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405
AgentTesla
7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
db539ae936d63a0f8340157cd6af07c6f3fd14b354799db61967679095d78576
AgentTesla
f23c845c6c2450e632e8894be99fe3eb8a6a42eedc749c593431665c18e37d03
AgentTesla
f4468ef3eb4ae6445b097b0200d918ae0e1bba94b8c4c613031e2aab32c9f083
AgentTesla
+ 452 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201012-kbdje3hma6/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792
MD5 hash:
9c8490fa8665ebc96dbcfb6bf1dca024
SHA1 hash:
cb493d07e6e9128dc3b053c29e6629b4b8473fbd
Link:
https://www.unpac.me/results/0824a769-090d-4498-9a99-8f469e27c088/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792

File information

The table below shows additional information about this malware sample such as delivery method and external references.

a579b25e1e6063929ff7b21d673b4d56

AgentTesla

Executable exe c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792

(this sample)

  
Dropped by
MD5 a579b25e1e6063929ff7b21d673b4d56
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70055/

Comments