MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fa4d2ff6d00bc311d0cd41fcacae2e183b6fc7c9344b9d4efc60e0654875fa25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	fa4d2ff6d00bc311d0cd41fcacae2e183b6fc7c9344b9d4efc60e0654875fa25
SHA3-384 hash:	91b25133f81a73956d440c4ed029f19a02e8ca4ba7c546ad218d90f69472b45d48c9e1664e84343a0e65f163b8882214
SHA1 hash:	838199427ff0416bdeeaa989065a88fb9777388e
MD5 hash:	5bd1c6d1b17055463cac78f489095f2c
humanhash:	island-mountain-winner-xray
File name:	Shipping Documents.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	545'280 bytes
First seen:	2020-11-25 11:56:39 UTC
Last seen:	2020-11-25 13:40:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:RHd7j4whhjZADjv7bG+ZgM0PXak1PyyQbv04r8ZCzt8LF9QywFxka:RHRhjZUjv7DgM0PMECp8
Threatray	1'487 similar samples on MalwareBazaar
TLSH	A8C4BEBC311079DFCA1BC9B8DA543D58AE50387B530BC20AA65B05DAAA4DBD6CF144F3
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

129

Origin country :

n/a

Vendor Threat Intelligence

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/546881

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/fa4d2ff6d00bc311d0cd41fcacae2e183b6fc7c9344b9d4efc60e0654875fa25/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-25 10:13:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

27 of 28 (96.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=7jgs75wqbpbrdugnih6kzlroda5w7r6jgrfz2tx4mdqgksdv7isq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2bf325abeef3e5dbce3c2041a7e1bde3ae717a58b2ce07a0286855c22cab4bb8

AgentTesla

5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae

AgentTesla

5a527950d894197b2f050718da8829767a02eafa306f6b8b6e10c99ddbf66125

AgentTesla

67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923

AgentTesla

6c172122db5af54bec6f1a6255169ff95ddebce78bc550814c701ef7e2664f58

AgentTesla

97a573fd680ef24fba3d6d7247f05e3425696b8077f4afda2279801f6d4a57d4

AgentTesla

bd8670ff54fdb88e307e5997213a32ee95f922566923e7a645cbf120094cbbdb

AgentTesla

c2330695f7393018b464630da587c9d2ff1cf9d1304f32dfed1b32f0037b78b9

AgentTesla

e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0

AgentTesla

+ 1'477 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201125-xsp74sgvks/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

fa4d2ff6d00bc311d0cd41fcacae2e183b6fc7c9344b9d4efc60e0654875fa25

MD5 hash:

5bd1c6d1b17055463cac78f489095f2c

SHA1 hash:

838199427ff0416bdeeaa989065a88fb9777388e

Link:

https://www.unpac.me/results/276ab1cd-c7cc-4857-b0cf-7c71379c5d03/

SH256 hash:

c43bacfe2a00de165fc4a318891021fdc9f92c2c718b138fa451c161f5cfd6bd

MD5 hash:

48468d71f6187a4c9bd8d3d3febcc6fc

SHA1 hash:

7252f10381a149f7e3c9aeb5464c787324495e26

Link:

https://www.unpac.me/results/276ab1cd-c7cc-4857-b0cf-7c71379c5d03/

SH256 hash:

cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e

MD5 hash:

8cd5d2014866f4ef60802ff1826998a6

SHA1 hash:

8ff75946905d0b117080cc5a07e6e0bbea4e9bbd

Link:

https://www.unpac.me/results/276ab1cd-c7cc-4857-b0cf-7c71379c5d03/

SH256 hash:

b7b16b9399af46950070cb26f72deb81e24d721d5458b0da352c87d48dd5ed7c

MD5 hash:

87bc98c7970c2a6f6c3a2468e709fc73

SHA1 hash:

fd867615084f0f2b630c264986747dbb14c1cec2

Link:

https://www.unpac.me/results/276ab1cd-c7cc-4857-b0cf-7c71379c5d03/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Remcos

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/fa4d2ff6d00bc311d0cd41fcacae2e183b6fc7c9344b9d4efc60e0654875fa25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 106e10c5ee0801918db0a9cfb5a07a74259c497d44e2e7b8dfdd0ea968b24703

AgentTesla

exe fa4d2ff6d00bc311d0cd41fcacae2e183b6fc7c9344b9d4efc60e0654875fa25

(this sample)

Delivery method

Other

Dropped by

SHA256 106e10c5ee0801918db0a9cfb5a07a74259c497d44e2e7b8dfdd0ea968b24703

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample