MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3
SHA3-384 hash: b4c95ed6dcfe117524426c9cc180aeaf3751c9c208eeeae58c0bc696cd9bf6077fdda420b72f90c077e6f4ad76af5832
SHA1 hash: 110abbd50218a12b8a68a32c86733e9636d3b4a8
MD5 hash: ade2434d3015afe2ea549e17fdae7b71
humanhash: butter-ack-fanta-green
File name:Products Request for Quotation - RFQ - 20201016.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:283'488 bytes
First seen:2020-10-17 06:35:45 UTC
Last seen:2020-10-17 08:03:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 3072:EYyzVRKcAN/s2WoW548hhllQcjfMYuATncyNuKv+KoHNo0vT7c77/yAWmww23dHF:JyvKcIs2W9uvxQLy
Threatray 628 similar samples on MalwareBazaar
TLSH 53545C12F1C46632797F743A11BB14F15F32BCA27E6BA66F8D6262232C40F457F1A846
Reporter abuse_ch
Tags:AgentTesla exe SendGrid


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: xvfrhtwb.outbound-mail.sendgrid.net
Sending IP: 168.245.7.155
From: info@em3294.lazertint.co.uk
Reply-To: sales8cases@gmail.com
Subject: Inquiry: RFQ
Attachment: Request for Quotation.rar (contains "Products Request for Quotation - RFQ - 20201016.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
103
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72453/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.25.19447.28063.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494287
Signature
Allocates memory in foreign processes
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3/
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 21:19:10 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=6brparddu3at6arv7mj5oikupwmtqk3iwq4bqnfr5hfewhvh2xrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
459838dd5e98a4fe8c51d2d0c3c7850319b1a13cb41f568aa0cf6cb0bba6e9ef
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
6fa3091f305d9f040aca294e296e92c3590ce397bbf650ee9f26e3bc744d1f6a
AgentTesla
8f416a96a4a8475bd8486d264aad1bb73ad020db8e7e1d0f268432684096511b
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
a9b25af5375aebc414264faff8068a6848607b660ef951eee0357799e25d6740
AgentTesla
b29a4f0435f0d54c78c34e1b3d86cdb9b81996ee0e1c50f51a3d0716deee3ff5
AgentTesla
c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792
AgentTesla
e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12
AgentTesla
f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c
AgentTesla
+ 618 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201017-4md7fzgjdn/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3
MD5 hash:
ade2434d3015afe2ea549e17fdae7b71
SHA1 hash:
110abbd50218a12b8a68a32c86733e9636d3b4a8
Link:
https://www.unpac.me/results/017195a6-d2dd-43ef-86db-ce904fd96c5d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c942c78f50595d3a02a9654f9ae9429e57e112428403bdb3e2dc6dc99afe19cb

AgentTesla

Executable exe f062f04463a6c13f0235fb13d721547d99382b68b4381834b1e9ca4b1ea7d5e3

(this sample)

  
Dropped by
MD5 158e687a5fe4e36cd9611eff92ceb189
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72453/
  
Dropped by
SHA256 c942c78f50595d3a02a9654f9ae9429e57e112428403bdb3e2dc6dc99afe19cb

Comments