MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 322246ebcd55123f8d11816a45dde9ef1b0b041ab306fce78af896a04052e6c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 322246ebcd55123f8d11816a45dde9ef1b0b041ab306fce78af896a04052e6c8
SHA3-384 hash: c302df425e345f96375456eefe9c829b26d670e579b28c79c2c5f6962581816c26f28f101095c81c202a30ba1c397da8
SHA1 hash: 656e494c33580a04d6ad08749a3f90fb7d4bb131
MD5 hash: 5660db4d39e1c2a7887c2b26c2f70f9b
humanhash: arizona-utah-nuts-leopard
File name:5660db4d39e1c2a7887c2b26c2f70f9b.exe
Download: download sample
Signature AgentTesla
File size:357'376 bytes
First seen:2020-07-31 11:47:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:AJtN4fgraFKbahaT2pX47tKj4JwwltNHyoVI:AJw3FDhUwI
TLSH 3F74BE170B5D927AE7BD75756E32A13006E395AF6981EB4EC700C5AE3C123D8A40EEF1
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence


File Origin
# of uploads :
1
# of downloads :
31
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
Agenttesla
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
88 / 100
Signature
Drops PE files to the startup folder
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255341 Sample: 2JdUSu8jxO.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 88 75 Yara detected AgentTesla 2->75 77 Machine Learning detection for sample 2->77 79 Machine Learning detection for dropped file 2->79 11 2JdUSu8jxO.exe 4 2->11         started        15 HBWELB.exe 2 2->15         started        17 HBWELB.exe 1 2->17         started        process3 file4 57 C:\Users\user\s.exe, PE32 11->57 dropped 59 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 11->59 dropped 61 C:\Users\user\s.exe:Zone.Identifier, ASCII 11->61 dropped 99 Drops PE files to the user root directory 11->99 101 Drops PE files to the startup folder 11->101 103 Maps a DLL or memory area into another process 11->103 105 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->105 19 2JdUSu8jxO.exe 11->19         started        22 RegAsm.exe 2 4 11->22         started        24 conhost.exe 15->24         started        26 conhost.exe 17->26         started        signatures5 process6 signatures7 81 Maps a DLL or memory area into another process 19->81 28 2JdUSu8jxO.exe 19->28         started        31 RegAsm.exe 2 19->31         started        83 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->83 85 Tries to steal Mail credentials (via file access) 22->85 87 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->87 89 Hides that the sample has been downloaded from the Internet (zone.identifier) 22->89 process8 signatures9 107 Maps a DLL or memory area into another process 28->107 33 2JdUSu8jxO.exe 28->33         started        36 RegAsm.exe 3 28->36         started        38 RegAsm.exe 28->38         started        40 2 other processes 28->40 process10 signatures11 69 Maps a DLL or memory area into another process 33->69 42 2JdUSu8jxO.exe 33->42         started        45 RegAsm.exe 33->45         started        71 Tries to steal Mail credentials (via file access) 36->71 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->73 process12 signatures13 91 Maps a DLL or memory area into another process 42->91 47 RegAsm.exe 42->47         started        51 2JdUSu8jxO.exe 42->51         started        93 Tries to steal Mail credentials (via file access) 45->93 95 Tries to harvest and steal browser information (history, passwords, etc) 45->95 97 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->97 process14 file15 63 C:\Users\user\AppData\Roaming\...\HBWELB.exe, PE32 47->63 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->65 67 Maps a DLL or memory area into another process 51->67 53 RegAsm.exe 51->53         started        55 RegAsm.exe 51->55         started        signatures16 process17
Threat name:
ByteCode-MSIL.Trojan.FormBook
Status:
Malicious
First seen:
2020-07-31 01:17:00 UTC
AV detection:
22 of 31 (70.97%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
AgentTesla Payload
AgentTesla
Threat name:
Kryptik
Score:
1.00

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 322246ebcd55123f8d11816a45dde9ef1b0b041ab306fce78af896a04052e6c8

(this sample)

  
Delivery method
Distributed via web download

Comments