MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 161692cd66940133b0ecd2d6858d3841064695fa2c54f2365f036200f1f737ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 161692cd66940133b0ecd2d6858d3841064695fa2c54f2365f036200f1f737ab
SHA3-384 hash: 91cd08a5551a6786e7de68546337b531127a4d190b8d632745cc8f4f9b0f8c159f12b1208d7146e2fbb96d490e060f66
SHA1 hash: 425cbd52e0d4a2c6a824b5ec8b9a1b89feede2e4
MD5 hash: fde5593ca0a2c67bfb51d1df12aad093
humanhash: november-cold-moon-one
File name:order Specification.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:904'704 bytes
First seen:2020-08-19 13:36:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:GlKNLdi9iUClOubx3Ta3g4iYdFxkql+IjkN6+Rocq4Oeva6y9V+1pX2XOBFOx6A5:6KNLdi9iKubtTugpY2q2zapz+ym
Threatray 9'460 similar samples on MalwareBazaar
TLSH D815193D3B81A805D63E4AB540A8A9C2B231B68B3B41CF3F68C7535C5F0368F7B95569
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: host75.registrar-servers.com
Sending IP: 198.187.29.67
From: Helen <helen@unischolarboard.com>
Subject: Order for August
Attachment: order_Specification.img (contains "order Specification.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48567/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/438225
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
May use the Tor software to hide its network traffic
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271588 Sample: order Specification.exe Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 50 Yara detected AgentTesla 2->50 52 .NET source code contains very large array initializations 2->52 54 Initial sample is a PE file and has a suspicious name 2->54 56 May use the Tor software to hide its network traffic 2->56 8 order Specification.exe 4 2->8         started        12 newapp.exe 4 2->12         started        14 newapp.exe 3 2->14         started        process3 file4 38 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->38 dropped 66 Writes to foreign memory regions 8->66 68 Allocates memory in foreign processes 8->68 70 Injects a PE file into a foreign processes 8->70 16 InstallUtil.exe 17 23 8->16         started        21 conhost.exe 12->21         started        23 conhost.exe 14->23         started        signatures5 process6 dnsIp7 40 theonionrouter.com 45.79.66.205, 443, 49737 LINODE-APLinodeLLCUS United States 16->40 42 www.theonionrouter.com 16->42 30 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->30 dropped 32 C:\Users\user\AppData\Roaming\...\zlib1.dll, PE32 16->32 dropped 34 C:\Users\user\AppData\Roaming\Tor\...\tor.exe, PE32 16->34 dropped 36 9 other files (none is malicious) 16->36 dropped 58 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->58 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->60 62 Tries to steal Mail credentials (via file access) 16->62 64 4 other signatures 16->64 25 tor.exe 11 16->25         started        file8 signatures9 process10 dnsIp11 44 82.64.31.91, 49743, 9001 PROXADFR France 25->44 46 37.157.255.35, 49742, 9090 MYLOC-ASIPBackboneofmyLocmanagedITAGDE Germany 25->46 48 4 other IPs or domains 25->48 28 conhost.exe 25->28         started        process12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/161692cd66940133b0ecd2d6858d3841064695fa2c54f2365f036200f1f737ab/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 04:12:15 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cyljftlgsqathmhm2llildjyiedenfp2frkpens7anrab4pxg6vq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
7867241670b0fd664072e1bf555bc56b8291a80e01adeebcffcc768a0e88c117
AgentTesla
869e8a26e04953a411e7454c800e022bbbb3825320ab6e3935213357789f0844
AgentTesla
8846c5d088724ae06915e0e0f987ca3a65fba368095bc73f3109f6cb7841318b
AgentTesla
99dc64c72b1f6454e497a499216ad187c66e00f42ad23e3c5d240c39ed10b667
AgentTesla
9ad5063698ad109885b88817d60f69d18e9c109df7d58c5b24ead0b3c09bc579
AgentTesla
a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
aea7319d67789e4e524c4af9bcb842d66593a97dff25cb4be43eee5f5fb86963
AgentTesla
ec71f5a55f7af75de19957a7283f209ca6f171ffd5cafd6acd52e02570e025d9
AgentTesla
+ 9'450 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200819-nw3sg1fl5e/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/161692cd66940133b0ecd2d6858d3841064695fa2c54f2365f036200f1f737ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 95e6450efad2f15faf3b09e3120f30b29cc52d859b4859e5b0e1416fbca9cb0d

AgentTesla

Executable exe 161692cd66940133b0ecd2d6858d3841064695fa2c54f2365f036200f1f737ab

(this sample)

  
Dropped by
MD5 14f3c9fcf7e6d2ae9889a6abccf462d4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48567/
  
Dropped by
SHA256 95e6450efad2f15faf3b09e3120f30b29cc52d859b4859e5b0e1416fbca9cb0d

Comments