MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 169841b0663caf89087ba42112cd8a2ce6f7ef0fa0da0a7124e74547031cc362. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	169841b0663caf89087ba42112cd8a2ce6f7ef0fa0da0a7124e74547031cc362
SHA3-384 hash:	1cc3366ff484ec8ea80cac92423a5ea60ead71fdfc60a302817571711fb9335245599fe65521b335ed5ff7b03517d7c2
SHA1 hash:	d6112abc878ef884111e8cb2c3bd08a16c86e7f0
MD5 hash:	bc148c6c959e683bdb35eb8082de1348
humanhash:	alaska-mobile-virginia-magazine
File name:	PROOF OF PAYMENT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	531'968 bytes
First seen:	2020-08-19 13:40:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:TxffXZ7Dd3IQTuWrbXNi6dphQcVe4OL/fN:Txp7pFKSA6dMoeB5
Threatray	10'419 similar samples on MalwareBazaar
TLSH	E4B4F1A750652328C43D74FA910108A346F79C6A871AF96601F476BB15FE663CF2A33F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: bosmailout05.eigbox.net
Sending IP: 66.96.188.5
From: Laura Eeg <l.eeg@sikhacademy.ca>
Subject: PROOF OF PAYMENT
Attachment: PROOF OF PAYMENT.rar (contains "PROOF OF PAYMENT.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/48576/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/438247

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/169841b0663caf89087ba42112cd8a2ce6f7ef0fa0da0a7124e74547031cc362/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-19 04:11:33 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c2medmdghsxyscd3uqqrftmkfttpp3ypudnau4je45cuoay4ynra._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497

AgentTesla

66332e53989ee89d3c963cecd82424b45e332cadb2d9e13ba13f9f49d22b25ee

AgentTesla

687bbb360426bced3a9f69df3a4ae321c30c2e6e8cc40bde6b6b7519a6aaab34

AgentTesla

779250862192983603f41542782abb140ff3a0be669c5fb3bf80ea6932b4fc50

AgentTesla

88ca3229bbbcdfa0efd9ba8533253fc7cb11206b266d0bcdde54e2c10ac87e35

AgentTesla

923400c38b42c55fd484b8dfec8058a5952de23cbe053dea7bf041aa727c1b25

AgentTesla

992224c3cf97b0d58a9a0c5af443de835abecf518c8c9da0c7724f8929922f8f

AgentTesla

d3027dd8d1fd1dc823baace52ec28189ed1486065438d86c640199f4d98d3f79

AgentTesla

d589bde71aff96cea185e9175ca0797d0799a0f0d64de123be6e2c1bc9c73b68

AgentTesla

+ 10'409 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200819-gz3jje9vwx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/169841b0663caf89087ba42112cd8a2ce6f7ef0fa0da0a7124e74547031cc362

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar