MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362
SHA3-384 hash: 74b86f50439751df7d7c6c02040884efdb4e11c54963087a47a92690c9e75a5cb87701a2a08261ef1d88835f3d85fe28
SHA1 hash: 7bce020f5a3a1f907daf0ba4d57e3f563c3374e7
MD5 hash: 96b5b7152b1bf3ecc7425d15d41e7152
humanhash: orange-victor-friend-uncle
File name:IMG_00000000001.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'076'224 bytes
First seen:2021-04-07 08:03:09 UTC
Last seen:2021-04-07 09:01:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'654 x AgentTesla, 19'464 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 24576:PjbiscFDnsvuxlZevtacab98oa5w9JsfmwO5n+7mvLe:CT1n9xlqtacab98eJsLCvL
Threatray 3'753 similar samples on MalwareBazaar
TLSH D135F0323254AF92E37D97308461927407F1BE57EB21D74E3CAC71DC6A32BC68A62752
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
143
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IMG_00000000001.PDF.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 06:48:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/20cbe3af-60ea-4826-9ae1-703d61e1edf1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/132797/
Detection(s):
SecuriteInfo.com.PWS-FCXD96B5B7152B1B.26377.5971.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668403
Signature
.NET source code contains very large array initializations
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 05:54:28 UTC
File Type:
PE (.Net Exe)
Extracted files:
61
AV detection:
10 of 48 (20.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=756pumwo3vp2erxzteuxwezqxkxzelk43b4iqnbyu7s6mxifinra._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
212fa99c63cef30d1c9738b16139ee494eccca1f8d85d499088aeff2dfd4b42d
AgentTesla
4e9d4accd47dc415c57f8c246d5e7a80b57eb0428380ec6fad4daf99e35494fe
AgentTesla
5c8301f5ec2ae8cca6eb7aca8cd2578811019bcc261e16fe84f1bf7231676805
AgentTesla
7c98a7aee7d155bc8632cae1ff09120f88483adfa77205e6b74253e9d652e2b6
AgentTesla
7e585caf6d39d5596d2f74e12de5c1d5e3d00fb9eaa2341808d13fbe7db70d4b
AgentTesla
9d92710a161bdf3bbf19a895ad3f7ee347d283890bd2a40893f3bb6d85b3077c
AgentTesla
c9ecc8ac0893475d6852cd5aadf9ed6c5378e45f281b92ee948def1c7f9263f3
AgentTesla
dc377a33af6a32885d2ad71c2f0495372f5aac992d25fa0239ecc9aeec1d482b
AgentTesla
ea1dfb8b4d49ed0725305093b1a5466d5ab339ba2a5b125db5f3b87c42b874ea
AgentTesla
efa63822d503d39c7cf4ed12eea7c23780a146214aafcf5b74a18b859c5ab5ca
AgentTesla
+ 3'743 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210407-fe1egg41j2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
6590b9ec4fa84e44c372fda26f47d6d58859d74869621c6bdd4086e6ae411379
MD5 hash:
95dfa1a9015a17a1d49b4faa3f3d999d
SHA1 hash:
427b72727b28436554d0443d797f19b2ea37cc16
Link:
https://www.unpac.me/results/6a407a02-feba-43f9-a124-d2fad2213f06/
SH256 hash:
ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362
MD5 hash:
96b5b7152b1bf3ecc7425d15d41e7152
SHA1 hash:
7bce020f5a3a1f907daf0ba4d57e3f563c3374e7
Link:
https://www.unpac.me/results/6a407a02-feba-43f9-a124-d2fad2213f06/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 844b442fc19f704cfb140ba400248a68b1077989fc9a39e943789ed2dbde83d7

AgentTesla

Executable exe ff7cfa32cedd5fa246f999297b1330baaf922d5cd878883438a7e5e65d054362

(this sample)

  
Dropped by
MD5 8bf51148a51d4346c9a12d37b7fc3fcd
  
Dropped by
SHA256 844b442fc19f704cfb140ba400248a68b1077989fc9a39e943789ed2dbde83d7
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132797/

Comments