MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 33d4629a1443f50661279fb08d872d44607e89718d1b479f552b1fedfe0c8426. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 33d4629a1443f50661279fb08d872d44607e89718d1b479f552b1fedfe0c8426
SHA3-384 hash: e4d3d995cda6d1c4c4d6ea0bc11adf7a94e2e70a2c4f3bb57a99a87728fbceec30a78bc203c15e652d7afdb390ef9386
SHA1 hash: cd1925828cc37ca57d606113a3571d940542f901
MD5 hash: 69500900996117a8ae61b16b45ddd5aa
humanhash: robin-artist-oscar-tennis
File name:69500900996117a8ae61b16b45ddd5aa.exe
Download: download sample
Signature AgentTesla
File size:493'056 bytes
First seen:2020-07-31 10:02:19 UTC
Last seen:2020-07-31 11:09:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:5WiDcWQo1/+Mhxg7I3ohGdYNeL88NAq38ITP:5vtfh53ohahL88NAq
TLSH EDA4F1593251B38FC56B8D764D541CA0A3B0B822470BE357BCD72AED9A5EA47CF012B3
Reporter @abuse_ch
Tags:AgentTesla exe


Twitter
@abuse_ch
AgentTesla SMTP exfil server:
bh-58.webhostbox.net:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
29
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255269 Sample: MdSqhLJHWn.exe Startdate: 31/07/2020 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Yara detected AgentTesla 2->37 39 Yara detected AntiVM_3 2->39 41 2 other signatures 2->41 6 angel.exe 3 2->6         started        9 MdSqhLJHWn.exe 3 2->9         started        12 angel.exe 2 2->12         started        process3 file4 43 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->43 45 Machine Learning detection for dropped file 6->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->47 14 angel.exe 4 6->14         started        29 C:\Users\user\AppData\...\MdSqhLJHWn.exe.log, ASCII 9->29 dropped 49 Injects a PE file into a foreign processes 9->49 18 MdSqhLJHWn.exe 2 7 9->18         started        21 angel.exe 4 12->21         started        23 angel.exe 12->23         started        signatures5 process6 dnsIp7 31 192.168.2.1 unknown unknown 14->31 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->51 53 Tries to steal Mail credentials (via file access) 14->53 55 Tries to harvest and steal ftp login credentials 14->55 57 Tries to harvest and steal browser information (history, passwords, etc) 14->57 33 bh-58.webhostbox.net 199.79.63.24, 49750, 49755, 587 PUBLIC-DOMAIN-REGISTRYUS United States 18->33 25 C:\Users\user\AppData\Local\...\angel.exe, PE32 18->25 dropped 27 C:\Users\user\...\angel.exe:Zone.Identifier, ASCII 18->27 dropped 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->59 61 Installs a global keyboard hook 18->61 file8 signatures9
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Status:
Malicious
First seen:
2020-07-31 00:03:00 UTC
AV detection:
17 of 31 (54.84%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Threat name:
Trojan
Score:
1.00

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 33d4629a1443f50661279fb08d872d44607e89718d1b479f552b1fedfe0c8426

(this sample)

  
Delivery method
Distributed via web download

Comments