MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fdf7a24b0b6c57dfbee964444a5f7d645e3a306e509ee43c005b13c1dbf9fa50. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fdf7a24b0b6c57dfbee964444a5f7d645e3a306e509ee43c005b13c1dbf9fa50
SHA3-384 hash: 4b1755dc49b089f5c5b808a2d68b6020f07d1bb7518d348df3f2095e57f79ee82745da592b055c8b523d444d4fe917a4
SHA1 hash: 6f8b8e40933458032903a2bd92919b72a1f8e0b8
MD5 hash: 9a600e8830af26f31ea9637a10349c17
humanhash: aspen-lithium-connecticut-alabama
File name:TNT Import Clearance Consignment 9066721066.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:937'984 bytes
First seen:2021-01-19 13:06:43 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:DsgYUGwifQf0fiRg6OkI5TWU+ogOBBWlRoslSQO:IgYUnfW6Ofvbg+BW
Threatray 229 similar samples on MalwareBazaar
TLSH 2315CE862E84EE41E12AA7B5D829A9F073FEAD15DA14C44F7C94FEBD3733906850D132
Reporter abuse_ch
Tags:AgentTesla exe TNT


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host455.dgtr-network.com
Sending IP: 23.92.68.218
From: TNT Express Import Service <tdooley@tritechcoa.com>
Subject: TNT Import Clearance – Consignment : #9066 721066 is now under clearance process
Attachment: TNT Import Clearance Consignment 9066721066.zip (contains "TNT Import Clearance Consignment 9066721066.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
160
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
TNT Import Clearance Consignment 9066721066.exe
Verdict:
Malicious activity
Analysis date:
2021-01-19 13:11:56 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/52ba5539-ced5-425e-be1c-b4121c572b1d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/112900/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/585009
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fdf7a24b0b6c57dfbee964444a5f7d645e3a306e509ee43c005b13c1dbf9fa50/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-01-19 11:03:24 UTC
AV detection:
15 of 28 (53.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=7x32esylnrl57pxjmrceux35mrpdumdokcpoipaalmj4dw7z7jia._file
Verdict:
suspicious
Similar samples:
2f8daf0f7d0ba0b573b93f3e4ffb75e157a0e78be8a07bde8325dbd0efe42b6b
AgentTesla
61cf371d87b081dbca8f7dacc088c35238295b5c71c79a8f06ab209dcbc7ff48
AgentTesla
7ce968d0fc6d6ef86fa1c73e383a21b7cdd401eeaa9daefad0d2b20de042a8e5
AgentTesla
a55e49e3dffd386fbe1b8cfdafb4bcca81264b48e1fa2f9d68a7b8b12ec2bc7e
AgentTesla
aadf4a2325f03bbc80d38bc0c033e5ecc945a9b132570533f5a3fc41a6e034d6
AgentTesla
bfa8ca8a64dfbdd1b607b72848edc7ed107c90eb72b15c93d520392c201364fd
AgentTesla
d7c81b22b82c19f2c3b05ba1b222e317975cc16f4900db415c8e723c7f2eff06
AgentTesla
de752497070302674c9ff806fc9c905d9ca2db93d8d6241d4849da79394fe172
AgentTesla
f991818096935708b00e812a9700a0215a1583047f2721552a9d6375abf0db75
AgentTesla
fe15f4f81105e03404643fa842168b56482ea6e6772c95f0ffb56c0b0f69678f
AgentTesla
+ 219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://tria.ge/reports/210119-ggmgfvkwss/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
Unpacked files
SH256 hash:
52d35fabfc97d3e903b5d9eb253e8f84d1dfee2967fa9dde6d6ca37cc61951c5
MD5 hash:
b5a7f2596efe4c5fc5f5d2c733d49259
SHA1 hash:
c121578124375dc293e4daf12fac22442a8131b6
Link:
https://www.unpac.me/results/0d9cecd4-9fcb-4b31-9ba7-cfd34a6c70c9/
SH256 hash:
13b39af1dc0c03097e34e6ece8e1261895d89d4448f6cef390c6803569b61835
MD5 hash:
e866d996103a26acf2907c50a723d379
SHA1 hash:
bbdabb1e40269ccada5c985cd2638948bdb3d352
Link:
https://www.unpac.me/results/0d9cecd4-9fcb-4b31-9ba7-cfd34a6c70c9/
SH256 hash:
e245aceafde689597a99628f1583553d91d74d09be4878776f971ad507173cdf
MD5 hash:
7650cd1b96700762a92ef4be37a3932e
SHA1 hash:
1c2b22fa9301704237e06526fcb98a00d2bf763e
Link:
https://www.unpac.me/results/0d9cecd4-9fcb-4b31-9ba7-cfd34a6c70c9/
SH256 hash:
fdf7a24b0b6c57dfbee964444a5f7d645e3a306e509ee43c005b13c1dbf9fa50
MD5 hash:
9a600e8830af26f31ea9637a10349c17
SHA1 hash:
6f8b8e40933458032903a2bd92919b72a1f8e0b8
Link:
https://www.unpac.me/results/0d9cecd4-9fcb-4b31-9ba7-cfd34a6c70c9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fdf7a24b0b6c57dfbee964444a5f7d645e3a306e509ee43c005b13c1dbf9fa50

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip acf9a1c62eab1c3da318e9d563f0baa19be9f8c7087c1f41aea78884099485a0

AgentTesla

Executable exe fdf7a24b0b6c57dfbee964444a5f7d645e3a306e509ee43c005b13c1dbf9fa50

(this sample)

  
Dropped by
MD5 e1dc6f8e7b8161d6e28b02d4322ad67b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/112900/
  
Dropped by
SHA256 acf9a1c62eab1c3da318e9d563f0baa19be9f8c7087c1f41aea78884099485a0

Comments