MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 00ee54a99b3c75bfa2004e5a8c80d55e6e87e98d6f84edf940e4d38f5a314ade. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 00ee54a99b3c75bfa2004e5a8c80d55e6e87e98d6f84edf940e4d38f5a314ade
SHA3-384 hash: 3e10915bf411ddf76a42edf3293f8c667f23efc6b135b8db135e284f992b635f4b4be983b940d18b2727527591448ce4
SHA1 hash: 3698f32f5d43e3b006c32763178999dc327dd0a7
MD5 hash: 90b41a7e7e89c958096a1199eb618e10
humanhash: low-delaware-king-april
File name:arrival notice ET.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:357'888 bytes
First seen:2020-07-29 14:44:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:I0zMXKFeicZMwrAknCCGdRjE84aJcUilnOjzrjkmjlMobd2:I0Y6LwLnqRj54qcT8jz0I
Threatray 10'737 similar samples on MalwareBazaar
TLSH 1E74DF640A6ACB6AD48D1FBA974473274BFA5A57E303D30B809476CD0F1DACAC615F0E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: rim-tele.com
Sending IP: 188.128.84.2
From: Pacific Logistics (HK) Limited <apl_doc@asean-paciific.com>
Subject: ARRIVAL NOTICE & INVOICE ETA 30th JUL 2020
Attachment: arrival notice ET.r00 (contains "arrival notice ET.exe")

AgentTesla SMTP exfil server:
mail.chinagrill.co:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/35011/
Detection(s):
SecuriteInfo.com.Fareit-FVK90B41A7E7E89.19992.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/402782
Signature
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253730 Sample: arrival notice ET.exe Startdate: 30/07/2020 Architecture: WINDOWS Score: 80 47 Yara detected AgentTesla 2->47 49 Executable has a suspicious name (potential lure to open the executable) 2->49 51 Machine Learning detection for sample 2->51 53 Initial sample is a PE file and has a suspicious name 2->53 11 arrival notice ET.exe 1 2->11         started        process3 signatures4 61 Maps a DLL or memory area into another process 11->61 14 arrival notice ET.exe 11->14         started        17 RegAsm.exe 2 11->17         started        process5 signatures6 65 Maps a DLL or memory area into another process 14->65 19 arrival notice ET.exe 14->19         started        22 RegAsm.exe 2 14->22         started        67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->67 69 Tries to steal Mail credentials (via file access) 17->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->71 73 Tries to harvest and steal browser information (history, passwords, etc) 17->73 process7 signatures8 57 Maps a DLL or memory area into another process 19->57 24 arrival notice ET.exe 19->24         started        27 RegAsm.exe 2 19->27         started        process9 signatures10 59 Maps a DLL or memory area into another process 24->59 29 arrival notice ET.exe 24->29         started        32 RegAsm.exe 2 24->32         started        process11 signatures12 63 Maps a DLL or memory area into another process 29->63 34 arrival notice ET.exe 29->34         started        37 RegAsm.exe 29->37         started        39 RegAsm.exe 29->39         started        process13 signatures14 55 Maps a DLL or memory area into another process 34->55 41 RegAsm.exe 34->41         started        43 RegAsm.exe 34->43         started        45 RegAsm.exe 34->45         started        process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/00ee54a99b3c75bfa2004e5a8c80d55e6e87e98d6f84edf940e4d38f5a314ade/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 14:45:11 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=adxfjkm3hr237iqajznizagvlzxip2mnn6co36ka4tjy6wrrjlpa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18ae67bb09ad7b543b79fe9ed8ea2ec5aee982c0e629e08050ad36cf3c6bf2c6
AgentTesla
1beeee8be1d1210689501aea9ee2ff97fba886b65ecb5fc92a9ef0f732021428
AgentTesla
322246ebcd55123f8d11816a45dde9ef1b0b041ab306fce78af896a04052e6c8
AgentTesla
4372af3cc2398f62f4737895b8d481e37441a22cf00bc3426546974c2636322b
AgentTesla
521682b3d5f74a75604bdbacc12c5aab77eac5505b39825f10c0e0766c6c321e
AgentTesla
7e8987e445e167c88b95a97849018508b3d791b49c4e30abd0640cc8ccf7d917
AgentTesla
923c1da2e7e5f9d534345df74620480dfd475c48319ecec7f19c686b83804337
AgentTesla
c3c5dd5504de3725ef9e40d0379cc273a356a90c6b2febb9dbc1f711348a1601
AgentTesla
c9dcd1d7470488ed72d4a673592ab0c4684124dc7e69bb903d47d6a71ffe42fd
AgentTesla
d7b503c1065388c0d28b93528745be46f6fc80ba358cad50ae05302785d1834b
AgentTesla
+ 10'727 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200729-d8z3hp51ge/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/00ee54a99b3c75bfa2004e5a8c80d55e6e87e98d6f84edf940e4d38f5a314ade

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 87da6b0428079396f59c94362281d9f6c788a2ea80953792fc1a33c1c077d71d

AgentTesla

Executable exe 00ee54a99b3c75bfa2004e5a8c80d55e6e87e98d6f84edf940e4d38f5a314ade

(this sample)

  
Dropped by
MD5 b3061c3f4f5b475c7422eb43c31d9a5d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/35011/
  
Dropped by
SHA256 87da6b0428079396f59c94362281d9f6c788a2ea80953792fc1a33c1c077d71d

Comments