MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e
SHA3-384 hash: 0d71b4fcfd5c217627f445659329ae08776fe70c2acbcf38d92bbf21cb423aaaa1056ac03d912f89db51671c3851daab
SHA1 hash: f7cab01d89f7a02a671ed3f0a04982be886bebc4
MD5 hash: d0d7b5d75d5985574fb98ccd14af8979
humanhash: enemy-west-nine-one
File name:Inquiry.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:286'136 bytes
First seen:2020-10-16 10:52:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:zArkPnJTQgke6ea3J1CLuG8RAugl9rhRWk6VxJlkPEk:Urk/JTQgke6eaJ1G0RACMEk
TLSH B95412715FB70911F46D5B364693142B4BFAFD0BC6A2856BEED4A7704EF22A20B23740
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: hotmail.com
Sending IP: 95.168.191.137
From: Abdoulaye Muhamman <sales01fahedgoup@hotmail.com>
Subject: Inquiry
Attachment: Inquiry.zip (contains "Inquiry.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/71933/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/493466
Signature
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2020-10-15 13:56:12 UTC
AV detection:
28 of 48 (58.33%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=73rpc4j6rxanat7oru5ru7cy3nkvvkh5g7zecrpiolsxkafxa4pa._file
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201016-jysvvgzlbe/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e
MD5 hash:
d0d7b5d75d5985574fb98ccd14af8979
SHA1 hash:
f7cab01d89f7a02a671ed3f0a04982be886bebc4
Link:
https://www.unpac.me/results/d42e09db-c00b-48d5-957c-efb33c51ca8f/
SH256 hash:
a1c42b632ea578383ff261894506ffe7d92c7d6d87c996d4908dfbe83c448990
MD5 hash:
7cc229a784365b740875cf3d165ca5ec
SHA1 hash:
3e66dbec34f3a2dc796a4bc13207a2eb7fcf3334
Link:
https://www.unpac.me/results/d42e09db-c00b-48d5-957c-efb33c51ca8f/
SH256 hash:
d97722569f614dc373b9300c907bfc3c87d8c149c277e65af6c771b835680932
MD5 hash:
299ae57f92f2cdd20c5702d67c31c6d1
SHA1 hash:
49210a9ac9621e68c7dacddcbf84400bba866247
Link:
https://www.unpac.me/results/d42e09db-c00b-48d5-957c-efb33c51ca8f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 204e7a961624dce055b16a55fcb688b29ea2e5a982a1bbbec4f85ce1c73c0594

AgentTesla

Executable exe fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e

(this sample)

  
Dropped by
MD5 1dd3b1aebe39707750fa4d42f1b41089
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71933/
  
Dropped by
SHA256 204e7a961624dce055b16a55fcb688b29ea2e5a982a1bbbec4f85ce1c73c0594

Comments