MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 3 File information Comments

SHA256 hash:	22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349
SHA3-384 hash:	1b5fa05d72c9d4b407a5a4f5e8ba3172b0d82da7d44f1eda106b6702b03d5846fce0cec510e9536e8c18ed5f135baa42
SHA1 hash:	9705c6c9c2e470c48463ac1b3924f515c54c106d
MD5 hash:	997504b4b4392233e29484349d3915e1
humanhash:	johnny-king-skylark-ack
File name:	Shipping Documents-097100.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	3'492'864 bytes
First seen:	2020-07-29 06:49:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep	49152:Nf8IN1Q2lYX4IAzOGdVxBqcEqoaUW6+rgxvOZTPqEZjLtlLedSi76tv:Nf801ooRhVefqoLErEs2EPlYSvB
Threatray	11'189 similar samples on MalwareBazaar
TLSH	2EF52322A3E14932D1A71E789C1B57749F36BF103A3499462BFC1C8C9F39BD138652A7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: server.radheshyamengines.partners
Sending IP: 162.241.204.242
From: GG BULK SHIPPING LTD. <ortobennett@ortobennett.com>
Subject: Shipping Documents
Attachment: Shipping Documents-097100.pdf.uu (contains "Shipping Documents-097100.exe")

AgentTesla SMTP exfil server:
mail.hajartrading.net:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34257/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Stealer.19347.10936.15784.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Searching for the window

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/401368

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected Agent Tesla Trojan

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349/

Threat name:

Win32.Trojan.DataStealer

Status:

Malicious

First seen:

2020-07-29 01:36:07 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=eilf2clu7jzpp2d4rzisrti7yp7gw3oa5whjscbyekntverdineq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

2d642faf36b978257eb3ecaab096fb7a47d2420cc9dbc052130aa5fdde1f4726

AgentTesla

32ef6a3c172b8ab59ed668b0fbad8c05dda82428fb2d1ec8e47d9e6db076043f

AgentTesla

37d7cd08ca91dc9962cfd418aafc0d115b954ee72c181feaf7d986c1f56b26a7

AgentTesla

60b66b4e182a7c2510e2abecd821a0cb30de3da1309e01ed36230cc9bc556cac

AgentTesla

7ab75859697472c8bda10b6cb7e7ffa7c8f5ce5eae3e7c67a565ffad2c6de83b

AgentTesla

8948e4e0f392197b1c1436e5f7a2a7bc326c849b6129d8cf287a6d6a03cd642e

AgentTesla

982d2699709d7a024a542a4f771a544cf987ce8d8f15cfa3dcefca157b251e3e

AgentTesla

e0e1906cf3bdce3052f97a950aef614488f566a4d587428d64d0c848f97a7a4f

AgentTesla

f2db78e5165646f19a5b9438764740b24ab4c578890cd68e292cedaed3f7ca84

AgentTesla

+ 11'179 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/200729-chyh31v21j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/22165d0974fa72f7e87c8e5128cd1fc3fe6b6dc0ed8e990838229b3a92234349

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar