MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31198541765ce3c6e0681658d68a3a6ea70a99f484e05bce3e77f57ed55171c7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 31198541765ce3c6e0681658d68a3a6ea70a99f484e05bce3e77f57ed55171c7
SHA3-384 hash: 1e131b77a0fb142e05f529675ff2b496570296e08b0b6cd3f130e85b1cfb365150d6b0f81848ffa56aa1f755ccd4d885
SHA1 hash: 7afd09b68bf5ca7090fc6d9ea60116ca224c7932
MD5 hash: 196618ad0d6494a299207d0a006e04a2
humanhash: twenty-solar-delaware-virginia
File name:RE,NEW PURCHASEING ORDER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:745'472 bytes
First seen:2020-07-29 11:32:42 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep 12288:TRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXOPnlLTDWisnaRYxH7J24G:Tfd8z4byilBdlGX2qnvp70j
Threatray 11'129 similar samples on MalwareBazaar
TLSH 40F4AE66B2E14933D1672E389C1B57689F3ABE102E34598D2FFC1C4C5F3968138762A7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: buypower.es
Sending IP: 156.96.157.112
From: alicia.gomez@buypower.es
Subject: RE,NEW PURCHASEING ORDER MACHINES
Attachment: RE,NEW PURCHASEING ORDER.zip (contains "RE,NEW PURCHASEING ORDER.exe")

AgentTesla SMTP exfil server:
mail.cjcurrent.com:26

AgentTesla SMTP exfil email address:
info2@cjcurrent.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34833/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Stealer.19347.10936.15784.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/402443
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 253588 Sample: RE,NEW PURCHASEING ORDER.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 100 27 g.msn.com 2->27 29 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->29 33 Found malware configuration 2->33 35 Yara detected AgentTesla 2->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->37 39 4 other signatures 2->39 7 MttyApp.exe 2->7         started        10 RE,NEW PURCHASEING ORDER.exe 2->10         started        12 MttyApp.exe 2->12         started        signatures3 process4 signatures5 41 Detected unpacking (changes PE section rights) 7->41 43 Detected unpacking (overwrites its own PE header) 7->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->45 49 3 other signatures 7->49 14 MttyApp.exe 4 7->14         started        47 Maps a DLL or memory area into another process 10->47 18 RE,NEW PURCHASEING ORDER.exe 2 7 10->18         started        21 MttyApp.exe 4 12->21         started        process6 dnsIp7 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->51 53 Tries to steal Mail credentials (via file access) 14->53 55 Tries to harvest and steal ftp login credentials 14->55 57 Tries to harvest and steal browser information (history, passwords, etc) 14->57 31 mail.cjcurrent.com 198.187.29.188, 26, 49725, 49731 NAMECHEAP-NETUS United States 18->31 23 C:\Users\user\AppData\Roaming\...\MttyApp.exe, PE32 18->23 dropped 25 C:\Users\user\...\MttyApp.exe:Zone.Identifier, ASCII 18->25 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->59 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/31198541765ce3c6e0681658d68a3a6ea70a99f484e05bce3e77f57ed55171c7/
Threat name:
Win32.Trojan.DataStealer
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 11:34:07 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gemykqlwltr4nydiczmnncr2n2tqvgpuqtqfxtr6o72x5vkrohdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
29e5d8196d419e7731d97b71a59f0cb5f4158cf3c7e285241bf74d05815b734c
AgentTesla
3ff12e5656da20f43c70d051b320420da82d2fcecdb5ea2c7acd2d6eb7ec24f6
AgentTesla
636ccfc9b0b3e9336e0eb35e7a795097fa5a7908799a738142af28c08a631285
AgentTesla
7926de68f0148fa153c0419a0f5ef355f14f705ced4485fea5ce745b3b6c29b8
AgentTesla
8e1f5e94e0e8ea6f82b75d5b21f3964b77df3810c65a875c1ddfcaef53c5e10f
AgentTesla
b8593f4d7560ce53b3ccc9a84da05bb783ca5908fdb5a537bb274bef749ae282
AgentTesla
b89dcfcb93658704c904004a6266ed755b71c233de1ee97b0026a17af3462fa5
AgentTesla
c440a72dafbe500ae677f83d99ab1b342ef6393b2ee2ae5f55cfd95b1218622d
AgentTesla
c465ef4e04ed7cd32d3dc6cc3e52ca654721fdfd696baa7d6358e72f75a4b55e
AgentTesla
f255241a0343f23d9e0b2fd5a3e81be32ac570b70404ff91b01536c8c9b055b3
AgentTesla
+ 11'119 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger trojan stealer spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200729-ftq5av738j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Reads user/profile data of local email clients
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/31198541765ce3c6e0681658d68a3a6ea70a99f484e05bce3e77f57ed55171c7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 56283daa993c54917a979be47f1d2da7f27abb64a201d47ef47740967110632a

AgentTesla

Executable exe 31198541765ce3c6e0681658d68a3a6ea70a99f484e05bce3e77f57ed55171c7

(this sample)

  
Dropped by
MD5 0ed4a5828f5dabbc6441d66a46aad53e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/34833/
  
Dropped by
SHA256 56283daa993c54917a979be47f1d2da7f27abb64a201d47ef47740967110632a

Comments