MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43af6ba4b7f666fe6a4ea1ef96142ed84a709d1e41bbd88c531882d88401899d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 43af6ba4b7f666fe6a4ea1ef96142ed84a709d1e41bbd88c531882d88401899d
SHA3-384 hash: 00d90b2279ad409e9fdafc89ac5ab58cc73bd8465e9ca7ca058a21af2ea33794430111b980b98adfe529d20e2a84de1f
SHA1 hash: 2fed9bf51f485e305e89408b3e2447e186bac76c
MD5 hash: 84bed77bd71f6c74209ad94a09a7bd36
humanhash: wyoming-california-blossom-magnesium
File name:August_Order_List_05082020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:377'344 bytes
First seen:2020-08-12 18:24:49 UTC
Last seen:2020-08-12 18:51:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:uyc0p9UlHvGyaXaOizOYn3v21AfnU7ZILtPxFmqNuDs5r++ksQTO/mwGhMfBOzRt:fZYHv1CPI3v210F2qNuDI+fOuHhkGR3
Threatray 10'747 similar samples on MalwareBazaar
TLSH 4E84021CBB58C517E76E47BD90E262480BF4E22B5A13FFDA9CE8D0E6155DF02089907B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mmengineers.com
Sending IP: 103.99.1.145
From: "B.Santhosh Kumar" <marketing@mmengineers.com>
Subject: RE: August_Order_List_05082020
Attachment: August_Order_List_05082020.rar (contains "August_Order_List_05082020.exe")

AgentTesla SMTP exfil server:
mail.yitaipackaging.com:587

AgentTesla SMTP exfil email address:
ytservice@yitaipackaging.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
70
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44419/
Detection(s):
SecuriteInfo.com.Generic.mg.84bed77bd71f6c74.20609.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
72 / 100
Link:
https://www.joesandbox.com/analysis/423614
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 264263 Sample: August_Order_List_05082020.exe Startdate: 13/08/2020 Architecture: WINDOWS Score: 72 63 Yara detected AgentTesla 2->63 65 Initial sample is a PE file and has a suspicious name 2->65 12 August_Order_List_05082020.exe 1 2->12         started        15 gKWBf.exe 2 2->15         started        17 gKWBf.exe 1 2->17         started        process3 signatures4 95 Writes to foreign memory regions 12->95 97 Maps a DLL or memory area into another process 12->97 19 August_Order_List_05082020.exe 12->19         started        22 RegAsm.exe 12->22         started        24 RegAsm.exe 2 4 12->24         started        26 conhost.exe 15->26         started        28 conhost.exe 17->28         started        process5 signatures6 67 Writes to foreign memory regions 19->67 69 Maps a DLL or memory area into another process 19->69 30 August_Order_List_05082020.exe 19->30         started        33 RegAsm.exe 2 19->33         started        71 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 22->71 73 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 22->73 75 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->75 process7 signatures8 99 Writes to foreign memory regions 30->99 101 Maps a DLL or memory area into another process 30->101 35 August_Order_List_05082020.exe 30->35         started        38 RegAsm.exe 3 30->38         started        process9 signatures10 77 Writes to foreign memory regions 35->77 79 Maps a DLL or memory area into another process 35->79 40 August_Order_List_05082020.exe 35->40         started        43 RegAsm.exe 35->43         started        81 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->81 process11 dnsIp12 89 Writes to foreign memory regions 40->89 91 Maps a DLL or memory area into another process 40->91 46 August_Order_List_05082020.exe 40->46         started        49 RegAsm.exe 40->49         started        61 192.168.2.1 unknown unknown 43->61 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->93 signatures13 process14 signatures15 103 Writes to foreign memory regions 46->103 105 Maps a DLL or memory area into another process 46->105 51 August_Order_List_05082020.exe 46->51         started        54 RegAsm.exe 46->54         started        107 Hides that the sample has been downloaded from the Internet (zone.identifier) 49->107 process16 file17 83 Writes to foreign memory regions 51->83 85 Maps a DLL or memory area into another process 51->85 57 RegAsm.exe 51->57         started        59 C:\Users\user\AppData\Roaming\...\gKWBf.exe, PE32 54->59 dropped 87 Hides that the sample has been downloaded from the Internet (zone.identifier) 54->87 signatures18 process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/43af6ba4b7f666fe6a4ea1ef96142ed84a709d1e41bbd88c531882d88401899d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 18:26:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ioxwxjfx6ztp42souhxzmfbo3bfhbhi6ig55rdctdcbnrbabrgoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1e41a4bc1146c02cf7e2e5f2a040ad3835f4852b675bfef98eeaed0c16d8bee3
AgentTesla
285921447b7223c6f6c6419c9ddfa5d26619286089de7cefa3255aa5f6c3bd51
AgentTesla
40d3ca5791d5b0dbbcfac86f352a5526dae74f9f828346b92b448787c654b331
AgentTesla
4540c3754b0563ef0392b1b0cacab2865d1638abb6dbe461ce3c7a912cfe3dad
AgentTesla
683363107924a8ad11a40a756236eb3462252e6325aed4f550fb29a364619be1
AgentTesla
69fd7fce357ff849a34d669c808cd75adbd9bdbe8999bc035d353a7f235c6169
AgentTesla
878770eb180f92d911dbb519c93aac3b4b63269f45d8af9500f6a144e6635b7d
AgentTesla
a465d738b180ef7304641b26840855fc15676b2d04a52b67388dc1cd55c29cae
AgentTesla
e55e9cd2c9714d2307617574b4426ba13b351433955ea049125bd0eaf8276c5c
AgentTesla
e602f946effd0712f1b58411b334d3179c5b7edfc1418f43e34fc195503ae333
AgentTesla
+ 10'737 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200812-jfl9p61y3a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/43af6ba4b7f666fe6a4ea1ef96142ed84a709d1e41bbd88c531882d88401899d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 61cfa2cd6737ffabbe1d01b90e38bea83e7a1c12d9c97f04752d65566e4ac953

AgentTesla

Executable exe 43af6ba4b7f666fe6a4ea1ef96142ed84a709d1e41bbd88c531882d88401899d

(this sample)

  
Dropped by
MD5 396db2d8745d1211596ca6bca55f1dcc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 61cfa2cd6737ffabbe1d01b90e38bea83e7a1c12d9c97f04752d65566e4ac953
Cape
Cape
https://www.capesandbox.com/analysis/44419/

Comments