MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c
SHA3-384 hash:	d1a5dfa9b299c0e77d05921949f3d721535ac86d807e22b13b824d2228d1fabd54a5638f5e22bf205b5bf1e92ed2819d
SHA1 hash:	bc0e7ae0e18d30121d596ac27cb8c25d748dabcb
MD5 hash:	977551929a4d1367575b273ba48e799b
humanhash:	november-thirteen-red-fix
File name:	Remmitance Copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	536'352 bytes
First seen:	2020-10-12 19:13:51 UTC
Last seen:	2020-10-12 20:24:15 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	6144:sVxEVpqBCeluN8BfyAd9ruUDmrguulfDiknNeIeXPr+l4GOjXdTfxddPR:uEVpw0wnd9rFDVTxUIojvGOjhJPR
Threatray	503 similar samples on MalwareBazaar
TLSH	DBB45A1834B7BF1A99B54236C932B848F5F2B0E23F51E2275FD45ACBC4A87402755CBA
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: 21.137.82.23.in-addr.arpa
Sending IP: 23.82.137.21
From: info@ultracanvas.co.uk
Subject: Remittance Copy
Attachment: Remmitance Copy.rar (contains "Remmitance Copy.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

120

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/70177/

Detection(s):

SecuriteInfo.com.Variant.MSILPerseus.237210.32070.5807.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Launching a process

Creating a process with a hidden window

Sending a UDP request

Adding an access-denied ACE

Unauthorized injection to a recently created process

Creating a window

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/488832

Signature

Antivirus / Scanner detection for submitted sample

Binary contains a suspicious time stamp

Contains functionality to hide a thread from the debugger

Hides threads from debuggers

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c/

Threat name:

ByteCode-MSIL.Trojan.Perseus

Status:

Malicious

First seen:

2020-10-12 14:07:54 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=67emxyaadfyofuccay4j4y356jn333lzfd7pvzrlveio7mqwxuwa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2527df2823de3eba2ed8f38e433938832ce4d887d843efcb21a860bbd8a14908

AgentTesla

459838dd5e98a4fe8c51d2d0c3c7850319b1a13cb41f568aa0cf6cb0bba6e9ef

AgentTesla

493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927

AgentTesla

6564b76eec49b15e7a3f42b48fedca593b48e5f145863dd16ea519b3bcf09e60

AgentTesla

b29a4f0435f0d54c78c34e1b3d86cdb9b81996ee0e1c50f51a3d0716deee3ff5

AgentTesla

b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181

AgentTesla

c456e8fa5cd496f1293870881ce5052a1e288ada68d414de521d64a782792792

AgentTesla

e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12

AgentTesla

f4468ef3eb4ae6445b097b0200d918ae0e1bba94b8c4c613031e2aab32c9f083

AgentTesla

+ 493 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201012-z6nhaeqktx/

Behaviour

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c

MD5 hash:

977551929a4d1367575b273ba48e799b

SHA1 hash:

bc0e7ae0e18d30121d596ac27cb8c25d748dabcb

Link:

https://www.unpac.me/results/39a58829-2dbd-4f55-be7a-cded9571937c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.35

Link:

https://yomi.yoroi.company/submissions/f7c8cbe0001970e2d04206389e637df25bbded7928fefae62ba910efb216bd2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.