MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d
SHA3-384 hash:	5de531dd03a2fdbfc2ce36c71de08d37d6d54594fdd8b24e71cb2a91b7fd4c6c1a6d81fa2e746f078d3832729feda5a0
SHA1 hash:	26357ca45ddae73756cb09df22f253c776e1a821
MD5 hash:	c8cf2942e9ae86feddeb457573e8aa2a
humanhash:	fillet-carpet-five-winter
File name:	Purchase Order #857498.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	862'720 bytes
First seen:	2020-08-18 12:01:42 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e877e52c1d0025820b0d8228acf49bf6 (15 x AgentTesla, 14 x Loki, 4 x Formbook)
ssdeep	12288:Y+p7p8KESESHe4/gD6WDSqWl/LDGTGM5irKz+p/j7e2MkiE0YN1vGQ6F4+N7d+Y:DtRES4DBSq2KG2bCjCIWYN5D6FjN7sY
Threatray	9'692 similar samples on MalwareBazaar
TLSH	6305AE66B2E0443FD166263C9D1B97B47839BE302A285D467BF55C4F8F3D68138392A3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: vps.confidencegroup.co
Sending IP: 162.144.54.78
From: Sales Petrolzim <sales@vaka.co.zw>
Reply-To: Sales Petrolzim <cri.sigmai@gmail.com>
Subject: RFQ- Msasa installation of CP 5 Steel Palisade Fencing- Urgent
Attachment: Purchase Order 857498.r11 (contains "Purchase Order #857498.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/47796/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Launching a process

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Moving of the original file

Stealing user critical data

Unauthorized injection to a system process

Enabling autorun by creating a file

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-18 01:16:14 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=6zhwzxzuei4wd7tfmu6y7vownxbp3q7f2vscftofsi3wl54m6r6q._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

agenttesla

AgentTesla

1328e0030337b326a962b3369cc8dd2b474de98267e8e9fdc3684f4e5ecb9984

AgentTesla

1a55a181a00b302c127b8871d999942cd3f9b83cfb3172cca4894fbbea1b668f

AgentTesla

21fd74234f073c7af91314d235b04418af7ad84f7a2cccc54b8af8192372cd7d

AgentTesla

254920e6788f4cb4975f08c5deef07e932f4a370a38c5197d7a4fb7846ea63ae

AgentTesla

4d999c1660ff34c639225029732ed7aa9b3af03e5b20c054e9310f1f208fb608

AgentTesla

869e8a26e04953a411e7454c800e022bbbb3825320ab6e3935213357789f0844

AgentTesla

9011468f8a2d455ad6446b9f8e277db5b7daf0becf65644ad12b94bcad401380

AgentTesla

a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3

AgentTesla

a93339bcc8ab06b5ef34abc63ba05c692b285ab47ff5d13b70959a52b3f53455

AgentTesla

+ 9'682 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer persistence spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200818-svr1898xqn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar