MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1e3003997089d725802aea73f61a35f7a568c05b16251e2d93ea8a3f8973b1d3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	1e3003997089d725802aea73f61a35f7a568c05b16251e2d93ea8a3f8973b1d3
SHA3-384 hash:	7bbf93995c0ed352f5e5c2862970b3e5378ed024787299b4a1dbf6d3360dfabb55fc0596754aa1c0ca43fea0baf63afa
SHA1 hash:	7c3ffb195f2aae4a987bc646988d155f17e6489c
MD5 hash:	15f39c8ec5a6893de8d3d02f0d8d0450
humanhash:	salami-butter-green-glucose
File name:	WA 98032 SIGNED SALES AND PURCHASE CONTRACT AGREEMENT.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'203'200 bytes
First seen:	2020-08-17 20:47:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	24576:yCmiOcKKUAPft0mjR9MLqlAz18FBeimulevvkGFln+3b4yHRFyuqt:yCmxUUk10m99+18F83ule33n+
Threatray	10'499 similar samples on MalwareBazaar
TLSH	E045D0635788AE2EC6FE56B7B07248069BB0C655618FE39D1CCCBEB06DD33540D8B264
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/47400/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

84 / 100

Link:

https://www.joesandbox.com/analysis/435007

Signature

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1e3003997089d725802aea73f61a35f7a568c05b16251e2d93ea8a3f8973b1d3/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-17 20:46:33 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=dyyahglqrhlslabk5jz7mgrv66swrqc3cysr4lmt5kfd7cltwhjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

33bba4987ed156603ef0d3d38b149b2f3d0bed4d52adf5615a6d19013cb7a94e

AgentTesla

416f9746f079b7af4180264d06ce55b88b1547d9a9da8db352e06a13aa5cf4a1

AgentTesla

89a814c2d1c565cb0f5e481d0636e5146f11aba30d40d7f03baa692d4b8dd833

AgentTesla

aee0659a73d3ce6eaaeafcfe545290f95e8e52c3f640fca9fcdb984a17ee27c0

AgentTesla

b283242e8ae83c1b2136090df9d70d06e328ee7116186667ed766d87f468da93

AgentTesla

b860c68b8a4ca548c005de132b6b2870a43baab32df04c32588d70da1ae47b6e

AgentTesla

c297389eed9eef2c21048b2adb9c9112fc7a7f209e4a0c989bbccc4a56b5d211

AgentTesla

e2ff7c5e749d36ebfcc2a9d5af487369e454ef301a859eb8fc11ebe15ea73e34

AgentTesla

e40f2c1fbdf6feb7a9c02bc0e049d2b62495ef5426d3809329bd6b651173af12

AgentTesla

+ 10'489 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200817-5lm554k8jx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/1e3003997089d725802aea73f61a35f7a568c05b16251e2d93ea8a3f8973b1d3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/47400/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample