MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55
SHA3-384 hash: 4892989c148f916ede722ea6517a4d0605c6841b902c8cc6127a7cb40831e704ac271b2dbc2bb73be4fa71bd6149d304
SHA1 hash: 0cdb48c1c430d16878cce2626275fe049fc96cef
MD5 hash: c852c4155fa6f0046db39e6aab83435f
humanhash: island-johnny-utah-sad
File name:IMG-568765445678987656789876-12275.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:425'472 bytes
First seen:2020-08-05 13:46:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dca25223c79d933c0a8efd09e5ca88bb (3 x AgentTesla)
ssdeep 12288:gtfpIAuWu4BlzI7cgHF10YqxTbX3CZTeKT3:gtBIAPzI7c2STbCr
Threatray 10'755 similar samples on MalwareBazaar
TLSH 3994C01433D0E423E8526130B4EEDEE94618B8701AF4DE47BBD05BDB0E726F49929E97
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: rhino.hostingplus.cl
Sending IP: 192.140.56.52
From: cuentas <cuentas@bursalokantacilarodasi.org.tr>
Subject: Re: ConfirmaciĆ³n de aviso de pago
Attachment: IMG-568765445678987656789876-12275.IMG (contains "IMG-568765445678987656789876-12275.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/39653/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Launching a process
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411320
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 13:48:07 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=e6l7vpnx5seehfdzgp3zf34nwiwmhovv4bxyebfli2l2zufajvkq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
29351837be2ee7ec1cd05fb09ee502ef3f43dfc549d23d69d4b61c400343d899
AgentTesla
3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0
AgentTesla
34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62
AgentTesla
43f7ca6a635db4dedd6c734f3af9ba5a96d87b4698f1c4eec56c8b86f6be26c9
AgentTesla
6bab78869dbbef0f84e21ff64ef79e4d2f5b5c672b3d8ef48dc520c674b81c5d
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
90aa9f9ad74752d2965816d8d68399d2b1c4fdce28c2ca57753196b3a2d60b34
AgentTesla
b04580b535d7a018ff5b8933e399b7b1497b3dfa896798fef656412a925ceb78
AgentTesla
ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781
AgentTesla
f9cdc89e99a471146ead33ee9c93bca0ecc286e65cf326c4450a9d6d8597153b
AgentTesla
+ 10'745 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200805-zy19fzsppe/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 75d2bdec7126942bb56650002cee4dc176b96e131506173cd11fcc03faff6109

AgentTesla

Executable exe 2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55

(this sample)

  
Dropped by
MD5 a1607a3d0d50db8c3fb1b6b313ce071e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39653/
  
Dropped by
SHA256 75d2bdec7126942bb56650002cee4dc176b96e131506173cd11fcc03faff6109

Comments