MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d67714f104e0589b1b940c38863b6de8b9ba0ebb1e21b38de489f5cf731bb126. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d67714f104e0589b1b940c38863b6de8b9ba0ebb1e21b38de489f5cf731bb126
SHA3-384 hash: ca90fe20a84450e945ece9eece6f8ac5d3213108df8b919f59fd3a68db2a48908ea931e15fa5bf4fd1b287ace88c9e30
SHA1 hash: 0f09de88c5d7efdbca32073c8fa64c5626fb1432
MD5 hash: 27a09c049b2a0c28cbab2b22e7c9648c
humanhash: india-march-quiet-oscar
File name:RFQ-34343663535242 KOSO NORTH AMERICA .exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:723'456 bytes
First seen:2020-10-05 11:52:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41cd3d95714b0df8060323fdc67b3eba (10 x AgentTesla, 6 x Loki, 1 x MassLogger)
ssdeep 12288:3cAt9L2fndhBK2w3p3z+iqiBZdMuWD9gPJ8lk+JyIxIHg:9HqhBFgBg62k+wI6A
Threatray 1'885 similar samples on MalwareBazaar
TLSH B9F49E22A2E14833C1771A3D9DDB6774DC29BE533D28A94A3FE4DC4C9F396817819293
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: koso-na.com
Sending IP: 185.222.57.210
From: Daniel White<info@koso-na.com>
Subject: RFQ-34343663535242 ( KOSO NORTH AMERICA )
Attachment: RFQ-34343663535242 KOSO NORTH AMERICA .gz (contains "RFQ-34343663535242 KOSO NORTH AMERICA .exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68179/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Moving of the original file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481370
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d67714f104e0589b1b940c38863b6de8b9ba0ebb1e21b38de489f5cf731bb126/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 08:12:35 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2z3rj4ie4bmjwg4ubq4imo3n5c43udv3dyq3hdperh2464y3weta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c2bb30542c1eccedf03c4d33aeed1351ef6415397d90f63a42f3b78a0371516
AgentTesla
15b7b8d7605de957a8bec1830cd04361e5e42d50b0e3fd42c7a15bb16b3c56ae
AgentTesla
27efe7f981e88e619d7a59df155f8b9f7c7bdcc0f52b08de1c0cedeaa9e817d9
AgentTesla
3c1f3c4bbc1216d2034ff7138aefa4ce290ad433a96657b443cdb8c485c8854e
AgentTesla
61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab
AgentTesla
627969cbad79a5c75027afefc27dde640f427ab09b96a2511917ba5a7be1b820
AgentTesla
8460f094293c03a18ceb6c57ac1d3073696a2865033462d8006b8b6b1033f76a
AgentTesla
b3f2d07e97cfe28deee3a65b8541c48f96f022b52db515b06c635f3b9fcc35ef
AgentTesla
baad571b7bebeb2d292fdff866400947877d8531a7bcbee73635660d73d8cc86
AgentTesla
d2e12e778519b6ea35daaef5eadae95b9f9e7f60676c8ddae1b321e384984c63
AgentTesla
+ 1'875 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201005-hhsfxt2ycn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
d67714f104e0589b1b940c38863b6de8b9ba0ebb1e21b38de489f5cf731bb126
MD5 hash:
27a09c049b2a0c28cbab2b22e7c9648c
SHA1 hash:
0f09de88c5d7efdbca32073c8fa64c5626fb1432
Link:
https://www.unpac.me/results/27dbd969-1b5d-49b8-b6d7-ac550771db46/
SH256 hash:
bfcd9f3ba966a1a0294bf2a4bc995779bef3d53cf0895b7d511e56532353d410
MD5 hash:
ffc1d3b8526ea05c8f484f5d4c869acf
SHA1 hash:
fd443b5b36b20f865ab92408810088e42e26e404
Link:
https://www.unpac.me/results/27dbd969-1b5d-49b8-b6d7-ac550771db46/
SH256 hash:
4be5c62f60e3b3e3b93238992db8c2e655acc2a168adaf227f4518530a4acc16
MD5 hash:
10652166b5dcad12cfe5940c6ee1ed8a
SHA1 hash:
55af7c6440a1ebddffd118308871bcd6baa90035
Link:
https://www.unpac.me/results/27dbd969-1b5d-49b8-b6d7-ac550771db46/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d67714f104e0589b1b940c38863b6de8b9ba0ebb1e21b38de489f5cf731bb126

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 16be5886c2fed3890bcd56e1dd79b4203f2202a19933af92c26d74ed1fb51c52

AgentTesla

Executable exe d67714f104e0589b1b940c38863b6de8b9ba0ebb1e21b38de489f5cf731bb126

(this sample)

  
Dropped by
MD5 b50b6da4c167dd03a885b76102d5b1e8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68179/
  
Dropped by
SHA256 16be5886c2fed3890bcd56e1dd79b4203f2202a19933af92c26d74ed1fb51c52

Comments