MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde
SHA3-384 hash: 0b22b2e4290acab900d0ad362de522209a287ad862460d9ba122108e9116f8486d5833971690a5791ee486f399ca0d69
SHA1 hash: c6b3bcb83dd438812f5e682f118e45fd32b91427
MD5 hash: 0bc95e93639e5fa27955485d601f0d97
humanhash: three-oregon-alabama-eighteen
File name:DES_ Holdings Ltd - products list.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:958'464 bytes
First seen:2021-01-06 08:00:10 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:DyIgXsf6ZgBO+eYceSxo1w+h86u0jbFXs2y1nUMfJZLo0+ksim5cYCgLtJ79MEc:yx9+7Iorh8ybdMnUM7M0+Him5lpe
Threatray 2'079 similar samples on MalwareBazaar
TLSH BE153711E24AEB5AEC2843B7E158F1F143F1ACC5D62DE6BB28D57C9934B6A00C5B1B31
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: srv.kibriswebhizmetleri.com
Sending IP: 213.159.5.123
From: DESIGNATED HOLDINGS LTD <info@inndormcyprus.com>
Subject: Request for Quotation
Attachment: DES_ Holdings Ltd - products list.7z (contains "DES_ Holdings Ltd - products list.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
189
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DES_ Holdings Ltd - products list.exe
Verdict:
Malicious activity
Analysis date:
2021-01-06 08:05:24 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/aff6c82e-beb8-4a0d-b4be-8194bf2cb8b0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/110708/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/574942
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde/
Threat name:
Win32.Trojan.Pwsx
Create hunting rule
Status:
Malicious
First seen:
2021-01-06 08:01:11 UTC
AV detection:
6 of 44 (13.64%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7mjpp7mucemkdcnygwrjw3sjxuinupujxkgbsu6ms3s5ditcjtpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c35aa6b6d20fcf5548bf0c482b8201629b078fbf8a01ce58eb3d15f233a5d5c
AgentTesla
119ea5a2268265102382111254f38977bbdc06c4fb7d51f4ad21d248596bff1a
AgentTesla
395aadc58bde92d29449ba1d349f39e73205f9e2794cbbbd397f85796c91de77
AgentTesla
3f4689ec7f18f1c30786b9953ed1fccb79f806a233aeb730fff83b432adf87bf
AgentTesla
53c1425f389198255d64a1654f9e03fc92d28ca53937f75edec2c500d9373c76
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
AgentTesla
7e2743f34270ca2b3b8edc0d0f9e9efa265bc06314a9d82d15aa2a255e7e9439
AgentTesla
c8ca87eac75f678754c91da9f698340373057f9f3860686b70681402ea065661
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
+ 2'069 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210106-js1nf53xda/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde
MD5 hash:
0bc95e93639e5fa27955485d601f0d97
SHA1 hash:
c6b3bcb83dd438812f5e682f118e45fd32b91427
Link:
https://www.unpac.me/results/6f2cf9f8-f426-4e52-9e5f-84033798e488/
SH256 hash:
873c540bfb7f12fb0c7d1403e2bc90b6e91bc748f86929363a697c09c48cc195
MD5 hash:
9ad7ff7373e65b867c47e3870523df4e
SHA1 hash:
46067a2a72fa23fbe3f310cc26ea5c381462dbce
Link:
https://www.unpac.me/results/6f2cf9f8-f426-4e52-9e5f-84033798e488/
SH256 hash:
78cc69e2bac1d1082fdcd12ab9f73c8fbe177d4c77c3741a1f675afc19fde7df
MD5 hash:
0d89407b450dd157f3eac8a3a3850a07
SHA1 hash:
ae3cd291f2a022360896d4fae4f005f2b50a8364
Link:
https://www.unpac.me/results/6f2cf9f8-f426-4e52-9e5f-84033798e488/
SH256 hash:
4fe60214b83e45790b79c9b687c830ee6a05c7252d22f74484c50af8e4b045e9
MD5 hash:
b89da57936ecfd0ad63b006b44d91528
SHA1 hash:
b4737c86ad05bb9456f05821943f9328501b1673
Link:
https://www.unpac.me/results/6f2cf9f8-f426-4e52-9e5f-84033798e488/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 1457014295e21581b8573689ff5ac29a8e1a1b9f914f3f50481ed503fd2d2b53

AgentTesla

Executable exe fb12f7fd941118a189b835a29b6e49bd10da3e89ba8c1953cc96e5d1a2624cde

(this sample)

  
Dropped by
MD5 45e6febe6d9f83517936cc3579bb45d6
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1457014295e21581b8573689ff5ac29a8e1a1b9f914f3f50481ed503fd2d2b53
Cape
Cape
https://www.capesandbox.com/analysis/110708/

Comments