MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2
SHA3-384 hash: 280441f159b6db76fa51c56e9ca8c48a737f1055d2526ba83d6acbbb407af0eded121e21e8d389e7462055e7998d1425
SHA1 hash: 79cd0df678874d73fa21cc6f10e7bbface32d13d
MD5 hash: 6afa2c6e37bd797f3ef57213eeb5fdeb
humanhash: michigan-oven-uncle-eleven
File name:RFQ16-03-2020YT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:887'296 bytes
First seen:2020-12-21 08:02:32 UTC
Last seen:2020-12-21 09:34:19 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'737 x AgentTesla, 19'595 x Formbook, 12'239 x SnakeKeylogger)
ssdeep 12288:7TWorF3sMci+c3bGXtL4xEJRE1MkY828E/KyCWslmy/jT+D9s0eDXQ2tO3YOCJ78:GorFtnCh8GYlJwvfBJbZisZ
Threatray 1'922 similar samples on MalwareBazaar
TLSH C6157D6839EA705EF073EE719FE47CA5EA5EB673270B540B1053038A4A1ED42CF9057A
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
180
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
RFQ16-03-2020YT.exe
Verdict:
Malicious activity
Analysis date:
2020-12-21 08:03:28 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/88fc12bc-dc67-4879-b891-03ab4af897fb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.Agent.FBBF.11245.1170.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567253
Signature
.NET source code contains very large array initializations
Detected unpacking (changes PE section rights)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332708 Sample: RFQ16-03-2020YT.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 26 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->26 28 Found malware configuration 2->28 30 Multi AV Scanner detection for submitted file 2->30 32 7 other signatures 2->32 6 RFQ16-03-2020YT.exe 3 2->6         started        process3 file4 18 C:\Users\user\...\RFQ16-03-2020YT.exe.log, ASCII 6->18 dropped 34 Detected unpacking (changes PE section rights) 6->34 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->36 38 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->38 40 Injects a PE file into a foreign processes 6->40 10 RFQ16-03-2020YT.exe 6 6->10         started        14 RFQ16-03-2020YT.exe 6->14         started        16 RFQ16-03-2020YT.exe 6->16         started        signatures5 process6 dnsIp7 20 smtp.mivante.com 10->20 22 us2.smtp.mailhostbox.com 208.91.199.223, 49750, 49751, 587 PUBLIC-DOMAIN-REGISTRYUS United States 10->22 24 192.168.2.1 unknown unknown 10->24 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 10->42 44 Tries to steal Mail credentials (via file access) 10->44 46 Tries to harvest and steal ftp login credentials 10->46 48 Tries to harvest and steal browser information (history, passwords, etc) 10->48 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-20 18:19:53 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7xpimgjq3egnahwnqfwl2tabm52x5iygrnfgp3osrn5zkfh5ygra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
3262041b975c085ac4910cab0c54cafd02bee3accf8f921712f9a626634ea833
AgentTesla
5ccb4b42592b867c638bc0b10bd75d11865ee1bea36d8242bffe1aba403336e4
AgentTesla
6e1a37cc8b4d9d0588132c3f315a4e1f7873ddae440c7be61381b12edf74e723
AgentTesla
8642bef0da90b39eff7e2f28570d28aa2a9aaabcd181c9f64bcfbdd331a606f1
AgentTesla
909fbce815ea71ef959b37bb5dc6c18eaea743019b66fae2af196473cffb17b1
AgentTesla
9efe8cef3127a10a3c0ee380a77298650e7a54e9e785d86f9871c00c2ad62bdf
AgentTesla
b6748127aa926856ac3fe079f13cf62d689fdbdcd5663871f9d59d2d6e7b0073
AgentTesla
d4cb3350b91d885e27987182b020afc1f194459cc9a1506e815f6ffbb41fe73a
AgentTesla
fa816fa2565bb49b65dbb51bb3a70f87b82437e19c0e7680a6a112fe177f880b
AgentTesla
+ 1'912 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201221-wre5zpaj1e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2
MD5 hash:
6afa2c6e37bd797f3ef57213eeb5fdeb
SHA1 hash:
79cd0df678874d73fa21cc6f10e7bbface32d13d
Link:
https://www.unpac.me/results/3a4a4d03-348b-425f-8a08-8e903b510bd7/
SH256 hash:
63a681a5739224e2a8d2184aee0f2672d57a99b920dbd40de6decb78b961b588
MD5 hash:
fc6398e3e937efd3ec3b835312111b12
SHA1 hash:
1df5edc9d3e24de6032d3569db24c58f79f65476
Link:
https://www.unpac.me/results/3a4a4d03-348b-425f-8a08-8e903b510bd7/
SH256 hash:
d50712cabebb903a61c7f057d0227da96ce37ed1e88dabb53ed375e13e5e292b
MD5 hash:
ab80db371fa3dc281a3270a2c758c4fb
SHA1 hash:
4c64189ee4de95b63813457b86b3acd6e83fe23f
Link:
https://www.unpac.me/results/3a4a4d03-348b-425f-8a08-8e903b510bd7/
SH256 hash:
a3efac919dda98f3021893c68e60570fb783afb50d4cfb068829b30a3116879f
MD5 hash:
f3c6df7d9cf6cfce466270d490504769
SHA1 hash:
d1ffc4912b888e5ae26ba4fa5397286955e70813
Link:
https://www.unpac.me/results/3a4a4d03-348b-425f-8a08-8e903b510bd7/
SH256 hash:
811e6073113c26a8d99c9939b46bb9973bdc71c64947b1e5e0952244ea69170e
MD5 hash:
1ce08a5c52a8af3384ea5ce20fe8b9ef
SHA1 hash:
d281a4592866a553b283b96d2fefc7158ba02241
Link:
https://www.unpac.me/results/3a4a4d03-348b-425f-8a08-8e903b510bd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c2b5829b6688f27666d1078302849a0f100e614497c91e01c4ab13ca137a2ed0

AgentTesla

Executable exe fdde861930d90cd01ecd816cbd4c0167757ea3068b4a67edd28b7b9514fdc1a2

(this sample)

  
Dropped by
MD5 0cc85d4bd989fb1de2b907944415c369
  
Dropped by
SHA256 c2b5829b6688f27666d1078302849a0f100e614497c91e01c4ab13ca137a2ed0
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment

Comments