MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2e26f3d20d246b10bfabfceb33cbfd707049377dc821e2cd4ef9f77ab599693d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2e26f3d20d246b10bfabfceb33cbfd707049377dc821e2cd4ef9f77ab599693d
SHA3-384 hash: fbb336a8c7e74aeebde4b75d77cc6563ca1d731d5025c0b1e5c3280c87a57cf240abc9b51d43dafe879c6523b4d45994
SHA1 hash: 9ebc1af5e441489eaa1070d1ea651473fadce442
MD5 hash: 98a6112ed9f13e4b4bfd8d9f2decd5dd
humanhash: lithium-lamp-quebec-fanta
File name:TENDER DOCUMENT OF EYGCO LLC PROJECT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:684'032 bytes
First seen:2020-08-19 14:43:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:D8aEYehgvVMBFH43e5KU+Z04DMR+hk5xD1T2fwUZNY0TIAj0+2WdMUF4lo4HJIhB:YXThaolDUjZlDIUk5BcwUZLUAjDG9C
Threatray 9'518 similar samples on MalwareBazaar
TLSH 3CE42226039A5F5BE6BD08BC0016E1B951E2CD8264A5F36EFDDC8CFFB593B4A2754120
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: DS7919266.clientshostname.com
Sending IP: 185.180.198.157
From: EGYCO LLC <brightli201@gmail.com>
Subject: RFQ - EGYCO LLC TENDER DOCUMENT
Attachment: SPECIFICATION AND EGYCO TENDER DOCUMENT.IMG (contains "TENDER DOCUMENT OF EYGCO LLC PROJECT.exe")

AgentTesla SMTP exfil server:
mail.mfs2u.com.my:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/48656/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/438576
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 271767 Sample: TENDER DOCUMENT OF EYGCO LL... Startdate: 20/08/2020 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Sigma detected: Scheduled temp file as task from temp location 2->39 41 9 other signatures 2->41 7 TENDER DOCUMENT OF EYGCO LLC PROJECT.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\Roaming\THYoZsiw.exe, PE32 7->21 dropped 23 C:\Users\...\THYoZsiw.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmpAA86.tmp, XML 7->25 dropped 27 TENDER DOCUMENT OF...LLC PROJECT.exe.log, ASCII 7->27 dropped 43 Writes to foreign memory regions 7->43 45 Injects a PE file into a foreign processes 7->45 11 MSBuild.exe 2 7->11         started        15 MSBuild.exe 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 mfs2u.com.my 139.162.7.203, 49703, 587 LINODE-APLinodeLLCUS Netherlands 11->29 31 mail.mfs2u.com.my 11->31 33 192.168.2.1 unknown unknown 11->33 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 57 2 other signatures 11->57 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->55 19 conhost.exe 17->19         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2e26f3d20d246b10bfabfceb33cbfd707049377dc821e2cd4ef9f77ab599693d/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 14:45:10 UTC
AV detection:
19 of 28 (67.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fytphuqnervrbp5l7tvths75obyesn35zaq6ftko7h3xvnmzne6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0e78d448b1897de24b817517cf43af0df86bb97bd17b36208f97d845dc993191
AgentTesla
340ef8e34673a896b2ec2a96bdab6e34fe79f773dbec3c4c918594733da577e7
AgentTesla
420c2572fe66b34a3e994b43ec3d35a60559c2b011c02c038854a99034a9ca2f
AgentTesla
76e0ef504371de843a6197e948a1a1dfe3f8e87e25ff8e2ee5f6648daff0e0c6
AgentTesla
9e31a9eedd25bd1b57d01f6f9f265cf5d13218f3e3e1866128d061ba5c77c452
AgentTesla
b745f8bc7dd3ee96edc308bcfbe51d0807a32a31be0a99b56a847d9df84cc200
AgentTesla
d7db8ce277c863459834407483c57e0f2679146f2bf7ea348c48ac69f1f4a469
AgentTesla
dc7b9feef27af7635ac6c4bf9073a4330a22de2ba8a4219d30cfc1ea097175e0
AgentTesla
e83b98a736b614af8adb721b387d5eda8d794c6fd58296a59a86c6faf9baf4ba
AgentTesla
ff4b6d3bf0c8d4a8c7c547ec8d3b8a747c9c7e2192567c2dc221305b25ee3fbd
AgentTesla
+ 9'508 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200819-9nyzfs3hgn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2e26f3d20d246b10bfabfceb33cbfd707049377dc821e2cd4ef9f77ab599693d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 0634676b3c100574d8507f5146cf3c5a5e76858b9e0b680801d86fb5bc5fa456

AgentTesla

Executable exe 2e26f3d20d246b10bfabfceb33cbfd707049377dc821e2cd4ef9f77ab599693d

(this sample)

  
Dropped by
MD5 b493f08a2989b26a2ba694c94dbf1a2c
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/48656/
  
Dropped by
SHA256 0634676b3c100574d8507f5146cf3c5a5e76858b9e0b680801d86fb5bc5fa456

Comments