MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37e399fce2caa80c9ea931f693b51a6d1c11464df1ead916cfca67f6100ad71f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37e399fce2caa80c9ea931f693b51a6d1c11464df1ead916cfca67f6100ad71f
SHA3-384 hash: c930134205827283cffd5ed8bb2546a499ed2c57c4256c1f0733c6fa555ed311a7a795105e52705c1cefa756e8e1e623
SHA1 hash: e176e6b0a34ecc203f30813e54a1ab8325297ab3
MD5 hash: 3e68b7ef28a3025b722831cd624cb2a8
humanhash: eleven-october-spring-fish
File name:po no 10389 & 10390 - for 2 orders together.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:676'352 bytes
First seen:2020-08-16 18:11:57 UTC
Last seen:2020-08-16 18:39:18 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:T1e+qpHuq7F/OgkkJycQnl8amD2yZjEUyPruKa/padAOgzF5+a+:T5ipJ/OgxKiDTZjEUqRa+AO+Z+
Threatray 10'547 similar samples on MalwareBazaar
TLSH DCE41243E6E59711C83A2E714621274022F27EDAF635F71D9E823198A5B33D6D380FE6
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.allocatestorage.pro
Sending IP: 104.168.190.52
From: PETER LAZAROV <peter.lazarov@easyexport.bg>
Subject: Po procesada
Attachment: po no 10389 10390.lzh (contains "po no 10389 & 10390 - for 2 orders together.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46551/
Detection(s):
SecuriteInfo.com.Generic.mg.3e68b7ef28a3025b.753.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432357
Signature
.NET source code contains potential unpacker
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37e399fce2caa80c9ea931f693b51a6d1c11464df1ead916cfca67f6100ad71f/
Threat name:
ByteCode-MSIL.Spyware.Noon
Create hunting rule
Status:
Malicious
First seen:
2020-08-16 18:13:08 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g7rzt7hczkuazhvjgh3jhni2nuobcrsn6hvnsfwpzjt7meak24pq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d048612a3cb9e6113b539ce3bd2f08f56e604869cdb38edcf02400ae12c3a74
AgentTesla
1f5f7921e3be739b51bead01306a9cc5dc7fec1dbc01a6784497de89afb6742c
AgentTesla
69141d8c99ebc4e3298c2e7203d061fe46d3bd513e3f93498a9fe2753cd82b8a
AgentTesla
6b3c0907618cdc1bdcb07dd987ee91dbcc691b2181d947e81d8d2756d7cea195
AgentTesla
77bb6489c1fd6c87f2ba80955211d0eef9be425d4e6076bd7280c6f87f9f3300
AgentTesla
7811b5864571348651746538905398e08bc9a5a11d6cb27ff6dd7a970be77741
AgentTesla
e593655b5dafbbb4d5a991689b883d1304c8b653a714ec724d31c08ed37f13d5
AgentTesla
ed847b13d7e0e4544eba48cd80e78a0dc002a8c46b3acb871113ad5be5f44916
AgentTesla
f16ce9d494986b9f5a386de9b3a9a691c7939db12d030daf87cbb4c5f299f315
AgentTesla
f6fb0f9050f39e6c6b3441d6a71d0e975552093fcf77f1d45ab06ef9b1fd7691
AgentTesla
+ 10'537 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla evasion
Link:
https://tria.ge/reports/200816-v6n9lxnc2s/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/37e399fce2caa80c9ea931f693b51a6d1c11464df1ead916cfca67f6100ad71f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 623344972936ef938d926720ffe33dac5ff918a7e5bbab7aaca6611077e723b1

AgentTesla

Executable exe 37e399fce2caa80c9ea931f693b51a6d1c11464df1ead916cfca67f6100ad71f

(this sample)

  
Dropped by
MD5 83a32fcd629d41912975dfee3da2e2b4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46551/
  
Dropped by
SHA256 623344972936ef938d926720ffe33dac5ff918a7e5bbab7aaca6611077e723b1

Comments