MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 048674629add2dc37cc99ab62fef41b4198e89807627b23652916bcec41476c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 048674629add2dc37cc99ab62fef41b4198e89807627b23652916bcec41476c8
SHA3-384 hash: 988bfaf2fc9fe7718118c68339735ae013e919f29e84e99db37242dbf60203c42ea23a806d0282895d765c7ba0b46d66
SHA1 hash: 4b607aca5266db44a3384aac38ce80e7aa3a4420
MD5 hash: 3d5ca50a71be7fba2de60785548114ff
humanhash: eleven-paris-football-arizona
File name:PROFORMA INVOICE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:737'280 bytes
First seen:2020-09-02 06:09:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:/81Xwo4IUsQ/cMMb4vE3EZhFDvXgHrKHuttPpQ1wv8jvIdM5j0D0Q+IfkD/H/zM9:gXQTsZCXLXgHrKwlvkQD
Threatray 10'643 similar samples on MalwareBazaar
TLSH 8FF4ADAD72507AAEC627FD77C9130D1CE750A066D32BE24BC4531198DA0DA97EF221F2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: outbound-gw.openxchange.ahost.me
Sending IP: 94.136.40.163
From: danny@gms.scot
Reply-To: danny@gms.scot
Subject: PROFORMA INVOICE
Attachment: PROFORMA INVOICE.zip (contains "PROFORMA INVOICE.exe")

AgentTesla SMTP exfil server:
smtp.dedhivala.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
97
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/54185/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/457163
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 280966 Sample: PROFORMA INVOICE.exe Startdate: 02/09/2020 Architecture: WINDOWS Score: 100 49 Found malware configuration 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 6 other signatures 2->55 6 PROFORMA INVOICE.exe 3 2->6         started        10 ImIlErN.exe 2 2->10         started        12 ImIlErN.exe 3 2->12         started        process3 file4 23 C:\Users\user\...\PROFORMA INVOICE.exe.log, ASCII 6->23 dropped 57 Injects a PE file into a foreign processes 6->57 14 PROFORMA INVOICE.exe 2 5 6->14         started        19 ImIlErN.exe 2 10->19         started        59 Multi AV Scanner detection for dropped file 12->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->61 63 Machine Learning detection for dropped file 12->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->65 21 ImIlErN.exe 2 12->21         started        signatures5 process6 dnsIp7 29 smtp.dedhivala.com 14->29 31 us2.smtp.mailhostbox.com 208.91.199.225, 49737, 49753, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->31 25 C:\Users\user\AppData\Roaming\...\ImIlErN.exe, PE32 14->25 dropped 27 C:\Users\user\...\ImIlErN.exe:Zone.Identifier, ASCII 14->27 dropped 37 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->37 39 Installs a global keyboard hook 14->39 33 smtp.dedhivala.com 19->33 35 192.168.2.1 unknown unknown 19->35 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->41 43 Tries to steal Mail credentials (via file access) 19->43 45 Tries to harvest and steal ftp login credentials 19->45 47 Tries to harvest and steal browser information (history, passwords, etc) 19->47 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/048674629add2dc37cc99ab62fef41b4198e89807627b23652916bcec41476c8/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-02 05:40:49 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=asdhiyu23uw4g7gjtk3c732bwqmy5cmaoyt3ensssfv45rauo3ea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
44096c1493b07b6097e73099250d28081e1729e2181420e90b5913030c9687b2
AgentTesla
6a5a84e5afd0a9d8fc62cacc992dc78ffc70fa1c72adfd2b6b7b415966a476cf
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
8d4c5f365504b7836678f742584f084f4ab5fd6ae8c4ea5370d6f2eb6b2c42fe
AgentTesla
b82d04c79bfd870dd7024db85a5c3c60827776af6bfd6b73306ceebf72150ba4
AgentTesla
bb87b42e953c6ef0db1288c7f65aacc88e0fa50e8a3162a07002642b304f2146
AgentTesla
c298da56eb8b11fd96859a1f9434d6c4e251f574e48a0cc2d066d442b9bf182e
AgentTesla
e212649c10ad952f2cd34debebdb80c6dfbeec214dbf352095eb65672ef2a1e9
AgentTesla
e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879
AgentTesla
f02fa74cf67fbbbff605bf316388b5c6d208efd33ccede87538938389be4de93
AgentTesla
+ 10'633 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200902-xc8npz3m3e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.71
Link:
https://yomi.yoroi.company/submissions/048674629add2dc37cc99ab62fef41b4198e89807627b23652916bcec41476c8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 10c8830913f96d811fed0d3318412fb966b9e938c805a67a356aa210cfbecf21

AgentTesla

Executable exe 048674629add2dc37cc99ab62fef41b4198e89807627b23652916bcec41476c8

(this sample)

  
Dropped by
MD5 30e71d958acd912a0f70c67e65d05dfc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 10c8830913f96d811fed0d3318412fb966b9e938c805a67a356aa210cfbecf21
Cape
Cape
https://www.capesandbox.com/analysis/54185/

Comments