MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff20281cabcfb9e1e301e097c23f37839a0ba21fd65b209591b15b7b40252f5b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff20281cabcfb9e1e301e097c23f37839a0ba21fd65b209591b15b7b40252f5b
SHA3-384 hash: 2b1fd318ec1781ee72f73c558d1f697e2b27e875a29861e2172fb30247bb3f9bb323ff7d54bd74b6fbd0b62d97ae745c
SHA1 hash: 6708c9e6e2a4c442c79c774028c7d48d62de2090
MD5 hash: 295ca1c1e463f77bd58fa386d13169bb
humanhash: sweet-tennis-berlin-bakerloo
File name:P&I_Circularpdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:340'947 bytes
First seen:2021-04-06 18:48:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 9c523d8653da5455667e3f82274f2f88 (6 x Formbook, 2 x SnakeKeylogger, 1 x AZORult)
ssdeep 6144:AbOYCcGXGRJEBbgl8MIMrHq3sQzIPuxIfUClOBYF1jxkIwbrg67NH768A:ECct7kxMrHqcQzIzsC0Y/alNHJA
Threatray 3'971 similar samples on MalwareBazaar
TLSH 5F7412A623C2F8BBEB4709313DBA9136CB77B316160343471B281FE974925C7DA582D6
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P&I_Circularpdf.exe
Verdict:
Malicious activity
Analysis date:
2021-04-06 06:28:04 UTC
Tags:
installer trojan rat agenttesla
Link:
https://app.any.run/tasks/2a7f114f-29bf-40cb-af56-3e6cabd99e95

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132707/
Detection(s):
SecuriteInfo.com.FakeAV.AVB.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/667943
Signature
.NET source code contains very large array initializations
Contains functionality to prevent local Windows debugging
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff20281cabcfb9e1e301e097c23f37839a0ba21fd65b209591b15b7b40252f5b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-06 00:59:56 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=74qcqhflz646dyyb4cl4epzxqonaxiq72znsbfmrwfnxwqbff5nq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
16c420649e2982539d14c2c84bd486af2fb7be77119d93c83dfc1ea9adca91a8
AgentTesla
420eb55a610b87b50a1f216ad003ef777283224e1aaedad7723f240ff1fed218
AgentTesla
782e217ec684944693a03a56d29675c879b31fb570c5f9956552ba5968295463
AgentTesla
9b501c547c3a6220c4ce9cec44811a2637adbbd3a11a0bf11ed437fde7747410
AgentTesla
9e33ca4eee3b2499f384dcfd926f97675258157bbdbeaa5c6720abc746c77d2c
AgentTesla
a05b237bd950b290bde604ee1eb0682268195ce28a92dfc1b17c5085583dd107
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
b1db9b45aa4903a5d9086d759765f4cb76a23e601c7bfd8133d440cace108307
AgentTesla
bbc5727bbd913262d6ef7229835da334fe74ac468c28a94b348fab5f258a04af
AgentTesla
+ 3'961 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210406-4wxznfrppa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
163e4a5eb3960d0ce432130e93ea01549bf9b49913c7c2b169681d3b13c15223
MD5 hash:
3a0d2f7e8efbb607befc3eaff66fcd22
SHA1 hash:
55fa9e3a3aa74c386fb8d6db099e7f0c21c5be4c
Link:
https://www.unpac.me/results/1f1959e3-82ea-4663-9806-f11a08dbb47f/
SH256 hash:
ecab65498dc1d4f1c3885dba3ce8e5c28718ece646152d4c4f39a0a8271a203e
MD5 hash:
96f0df734743e2bc89277c9ced229996
SHA1 hash:
3493e1c33aa540ab52954375eecc91f91fe1f104
Link:
https://www.unpac.me/results/1f1959e3-82ea-4663-9806-f11a08dbb47f/
SH256 hash:
052023164cb7251e8dea537ad9f0bbaab53c005edd84af9405f874cf6ca45b12
MD5 hash:
69869b91861c24bacb7886a1df299854
SHA1 hash:
18377597dc2f29f33d3306474ff2493b6a70df3b
Link:
https://www.unpac.me/results/1f1959e3-82ea-4663-9806-f11a08dbb47f/
SH256 hash:
ff20281cabcfb9e1e301e097c23f37839a0ba21fd65b209591b15b7b40252f5b
MD5 hash:
295ca1c1e463f77bd58fa386d13169bb
SHA1 hash:
6708c9e6e2a4c442c79c774028c7d48d62de2090
Link:
https://www.unpac.me/results/1f1959e3-82ea-4663-9806-f11a08dbb47f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.82
Link:
https://yomi.yoroi.company/submissions/ff20281cabcfb9e1e301e097c23f37839a0ba21fd65b209591b15b7b40252f5b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 94a700d7e37dda15f899ba5c5307c41cf3d20b27eecd1b1db43f97bae464e4d3

AgentTesla

Executable exe ff20281cabcfb9e1e301e097c23f37839a0ba21fd65b209591b15b7b40252f5b

(this sample)

  
Dropped by
MD5 1a65434d385ea67904a0c538f8fd7033
  
Dropped by
SHA256 94a700d7e37dda15f899ba5c5307c41cf3d20b27eecd1b1db43f97bae464e4d3
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132707/

Comments