MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 496915df405522ba15593a35d2c7d2da7adbe9dec2cfe62d2db4a47e81fddcca. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	496915df405522ba15593a35d2c7d2da7adbe9dec2cfe62d2db4a47e81fddcca
SHA3-384 hash:	fde7b9297261b1bd93c3054350aa32cbc37459e87e37dc98bb631db766e8e2c987a1df122c1e35903c6bd506b456f995
SHA1 hash:	fa52096ed7b37a332792b037e72fd78d4664e400
MD5 hash:	77b7ee62cc692b825283e3036ef8a8e4
humanhash:	island-hot-friend-cold
File name:	77b7ee62cc692b825283e3036ef8a8e4.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	708'608 bytes
First seen:	2020-08-03 07:38:38 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	24f26e153c9b6068c0a4770547eb6d9e (14 x Loki, 7 x AgentTesla, 2 x Formbook)
ssdeep	12288:bCbpcLhilrm7G8oclWEAroCo3DQmTj7prYQ3riwwhpMmm:MuLhi80Jro7FrYOrYzk
Threatray	11'111 similar samples on MalwareBazaar
TLSH	27E49E22E7A0443EF1723A3D5D2B57BC9826BE51392C59463BECDD4C6F393423926287
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
almashosting.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/37471/

Detection(s):

SecuriteInfo.com.Win32.Herz.B.23927.UNOFFICIAL

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Variant.Zusy.307895.13627.19246.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file in the %temp% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/407626

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/496915df405522ba15593a35d2c7d2da7adbe9dec2cfe62d2db4a47e81fddcca/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-07-03 00:41:02 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jfurlx2akurlufkzhi25fr6s3j5nx2o6ylh6mljnwssh5ap53tfa._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

7a477a446769be5e8f006df9f0b2a77439d269acca020f44954ec93a98252164

AgentTesla

934982623de62355613d2c7e8f8d1edee0a5db84c99636fb9ee543e7cfc6a079

AgentTesla

aa218adce0cc32486a75b6e5a2669c8b82afac444485f3d44bb168482276ad4e

AgentTesla

c53185f575195f3621b1b2cd4f8e95f60098dd6340c8492a90fb1c0d880ee7a0

AgentTesla

c95e7d84353b77c81870d17df0d8a73387b3d3804b5db509b50176b049fa7a8b

AgentTesla

dd5e99c3b05f5d4e9cbdf8b7f28a233618b3d2abb8a7cab1a10fdbcdd859dfb6

AgentTesla

ddde9519c188d7ef44e9d8235066be5fe298e2089888749263531f014b8e4b5c

AgentTesla

ead74c9cce8a3bc5dec5f0bc9f860f90fcd6791cdacce3ecd59e3e96ac0035c9

AgentTesla

ec6cfe036b88320b3208921df633e7ec0e1fbd3353e6fdc9d621d5cce1b9a27d

AgentTesla

+ 11'101 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer persistence spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200803-d56329tgt2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/496915df405522ba15593a35d2c7d2da7adbe9dec2cfe62d2db4a47e81fddcca

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar