MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf
SHA3-384 hash: f3667818b8d0b13966a6e74edbfa62216f377d2479ed7d73c6b3c051712da35f7b8dcfdacab475436e7a90cc46b9975d
SHA1 hash: 72771f613a675845377b03352ce236817f02a35d
MD5 hash: d1c0c210dc127509d081251a6a2031df
humanhash: washington-west-nuts-batman
File name:RFQ#675568PL_pdf.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'224'704 bytes
First seen:2021-01-12 18:04:56 UTC
Last seen:2021-01-12 19:49:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:6ZNG+llin6rdvqFO3YMDgkWeHjursMauPX71+f5mUfGj:6tV0OJDgkWeDursM3PX71WYUu
Threatray 5 similar samples on MalwareBazaar
TLSH FF45E5D0DF93D700D2AC26FDD01D805C16E1EF5AA3A8DE48D954F3A51A22A1CC9ED6F2
Reporter abuse_ch
Tags:AgentTesla scr


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host.gfg.com.pk
Sending IP: 116.71.128.142
From: Purchase Department <sohail.musaddaq@gfg.com.pk>
Subject: RFQ ref RS01
Attachment: RFQ675568PL_pdf.img (contains "RFQ#675568PL_pdf.scr")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
128
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ#675568PL_pdf.scr
Verdict:
Suspicious activity
Analysis date:
2021-01-12 18:33:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ce9124f-6837-45db-acc9-968d7064d441

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/111583/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.5222.28931.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/579376
Signature
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf/
Threat name:
ByteCode-MSIL.Trojan.Taskun
Create hunting rule
Status:
Malicious
First seen:
2021-01-12 18:05:10 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=2d7g4s2q77jymubt5443q55uhsazz47qonptxkm4ebbwd76ias7q._file
Verdict:
unknown
Similar samples:
021e34e6c2220dd75d543909346f6f19f4ef6c356f530cd7bb64288393bbc7a8
AgentTesla
3cdb85efd62add89d7945f62faf3c578d7fa6b5ec68573b1d774265afd46a8ad
AgentTesla
60aa2441e560ef826bf1bb15df393507ca4e8627dd92ff7a40fefb3d7c71ed7b
AgentTesla
dd364f123e241e6edd773382a05180e538e93eb6d471856f2217422e47526e51
AgentTesla
e09a6d651f6bbb29c9de2321977d94d7eadf264ca3eb6bd0b7a6876cd6e4866a
AgentTesla
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/210112-t6sq8yv3nn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Unpacked files
SH256 hash:
d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf
MD5 hash:
d1c0c210dc127509d081251a6a2031df
SHA1 hash:
72771f613a675845377b03352ce236817f02a35d
Link:
https://www.unpac.me/results/7173f884-101d-4e08-bd63-5f716af32da0/
SH256 hash:
296620e9308a1069ca98d27c426f25f5c1f87d9240bb371c657571034b0261b5
MD5 hash:
4cf24d41a7882216740280e3294cb853
SHA1 hash:
6bcb31d3dc0a7d71da1067a628168664202769a4
Link:
https://www.unpac.me/results/7173f884-101d-4e08-bd63-5f716af32da0/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 0e10c345e543f56a7802d26091e647d3219fd4976bfa8eb75fa51c3d2e117ad2

AgentTesla

Executable exe d0fe6e4b50ffd3865033ef39b877b43c819cf3f0735f3ba99c204361ffc804bf

(this sample)

  
Dropped by
MD5 a0af20aca96391628bc4c32d2c954a4c
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 0e10c345e543f56a7802d26091e647d3219fd4976bfa8eb75fa51c3d2e117ad2
Cape
Cape
https://www.capesandbox.com/analysis/111583/

Comments