MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4ffdc4465c7c6e87f6c793a9b524e721e00f4830bd35c77b5af5035c7828783. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4ffdc4465c7c6e87f6c793a9b524e721e00f4830bd35c77b5af5035c7828783
SHA3-384 hash: f7e278af07ea13cb6ec7f90c998260eb8cccabecb5d71345ec6b56814884ddc10bd1726d894989e3f68b6078002bd16b
SHA1 hash: e47d5e9da8d9c8a4da09be0c5f2710caa4a1f658
MD5 hash: be32354737fc348e43f70af2d92523e1
humanhash: avocado-orange-nevada-emma
File name:RFQ #7696679TTR6F.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'348'096 bytes
First seen:2021-07-31 05:44:41 UTC
Last seen:2021-08-03 17:01:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:7t/S/d3IYdkzX4QTVJUspp7lkU2WI7Lp4smwRGPoN7vdiTbnFM:KGddI/p7m/PoiM
Threatray 7'662 similar samples on MalwareBazaar
TLSH T19C55013588CCDFEACC9D03751F8C03A43EF19456A1B0E5B43E5A46B1EAC0D69E9B9742
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
751
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ #7696679TTR6F.exe
Verdict:
Malicious activity
Analysis date:
2021-07-31 05:46:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b3d17c00-62e0-42b4-9081-817e09a11172

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/175405/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.967-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/66714e7c-219d-4fbe-8803-72a71f88ca9b
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/824819
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457231 Sample: RFQ #7696679TTR6F.exe Startdate: 31/07/2021 Architecture: WINDOWS Score: 100 47 clientconfig.passport.net 2->47 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 9 other signatures 2->63 8 RFQ #7696679TTR6F.exe 7 2->8         started        12 kSrYER.exe 5 2->12         started        14 kSrYER.exe 2 2->14         started        signatures3 process4 file5 35 C:\Users\user\AppData\...\dWSSFTLKpeGggT.exe, PE32 8->35 dropped 37 C:\...\dWSSFTLKpeGggT.exe:Zone.Identifier, ASCII 8->37 dropped 39 C:\Users\user\AppData\Local\...\tmp874A.tmp, XML 8->39 dropped 41 C:\Users\user\...\RFQ #7696679TTR6F.exe.log, ASCII 8->41 dropped 65 Injects a PE file into a foreign processes 8->65 16 RFQ #7696679TTR6F.exe 2 9 8->16         started        21 schtasks.exe 1 8->21         started        67 Multi AV Scanner detection for dropped file 12->67 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->69 71 Machine Learning detection for dropped file 12->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->73 23 schtasks.exe 1 12->23         started        25 kSrYER.exe 2 12->25         started        signatures6 process7 dnsIp8 43 smtp.ojototheworld.us 16->43 45 us2.smtp.mailhostbox.com 208.91.199.224, 49738, 49739, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->45 31 C:\Users\user\AppData\Roaming\...\kSrYER.exe, PE32 16->31 dropped 33 C:\Users\user\...\kSrYER.exe:Zone.Identifier, ASCII 16->33 dropped 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->49 51 Tries to steal Mail credentials (via file access) 16->51 53 Tries to harvest and steal ftp login credentials 16->53 55 2 other signatures 16->55 27 conhost.exe 21->27         started        29 conhost.exe 23->29         started        file9 signatures10 process11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4ffdc4465c7c6e87f6c793a9b524e721e00f4830bd35c77b5af5035c7828783/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-07-30 08:52:33 UTC
File Type:
PE (.Net Exe)
Extracted files:
44
AV detection:
18 of 27 (66.67%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4t75yrdfy7doq73mpe5jwusooipab5edbpjvy55vv5idlr4cq6bq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
48bead02d24712c90cb698b02f3fc006889b6d0e134db625c6df37682f8ec029
AgentTesla
52588494e071e71a1c8f47311bd922432d1c721dc7b10ad69f86afc651bb056b
AgentTesla
540bb22ebba63642369ea8ff2d1c87db348926c8d0dee112bb883c0148447237
AgentTesla
6661acf762423f3241fa87250e9e8e82b270ed2c8ee891f5ca64e62c0140e6b8
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
8521dfd606cbbdb72c307cafd49fbbe179e5e4bb1fed33fde4f767cd87963296
AgentTesla
99316f18cd9051b5f5a433d4fe11376f5dbdb7bd45ee2f276e92f89e05cbb5f0
AgentTesla
d6c2f86d580dc289e39d57eabbc51123825a60887b93014ba1ed0b311307d84a
AgentTesla
fcb3b9ad1b0c4d3aa5c902f1708402e9a91b981ba919f0d002b498076f08e02f
AgentTesla
+ 7'652 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210731-r1hmrq4tfa/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
CustAttr .NET packer
AgentTesla
Unpacked files
SH256 hash:
f5f264cff207bd08de3b1412270dbc55227d0bf1e0eaab754e7f8f9c9aea66a5
MD5 hash:
33e33d55cd3558591d9d1921d9ba81ac
SHA1 hash:
793a66d8b94aa217fe99a6d402a7f46d82748239
Link:
https://www.unpac.me/results/298efac1-eb3f-443c-9a8e-d6539a90e9a4/
SH256 hash:
97d2fa1d01b2f9a2199896e05e0cf60c14a9f41ef2d72e15fbb862b7afa08438
MD5 hash:
68463851c0e6fe7a254c99fae763d454
SHA1 hash:
4587a5371d88c296a0184fe47ee0c5245b187127
Link:
https://www.unpac.me/results/298efac1-eb3f-443c-9a8e-d6539a90e9a4/
SH256 hash:
446a0ca823108f2f887af3aa194a8babd38011cf735a60ec5ff91d71c23ae13f
MD5 hash:
360328481a5412e27f0900c5e60f7c7a
SHA1 hash:
3c8be925a3abd6f5961583027e5ef008f8cccd66
Link:
https://www.unpac.me/results/298efac1-eb3f-443c-9a8e-d6539a90e9a4/
SH256 hash:
e4ffdc4465c7c6e87f6c793a9b524e721e00f4830bd35c77b5af5035c7828783
MD5 hash:
be32354737fc348e43f70af2d92523e1
SHA1 hash:
e47d5e9da8d9c8a4da09be0c5f2710caa4a1f658
Link:
https://www.unpac.me/results/298efac1-eb3f-443c-9a8e-d6539a90e9a4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e4ffdc4465c7c6e87f6c793a9b524e721e00f4830bd35c77b5af5035c7828783

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z fa9703cb5585c42f5c086a92f1e95a4d9e1ab553907a7cb3692e09fd9606fa1c

AgentTesla

Executable exe e4ffdc4465c7c6e87f6c793a9b524e721e00f4830bd35c77b5af5035c7828783

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 fa9703cb5585c42f5c086a92f1e95a4d9e1ab553907a7cb3692e09fd9606fa1c
Cape
Cape
https://www.capesandbox.com/analysis/175405/

Comments