MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4f22002fa8e6ac42be9455b9e786da31fd301db9392fb387a0948f6e212e02a0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	4f22002fa8e6ac42be9455b9e786da31fd301db9392fb387a0948f6e212e02a0
SHA3-384 hash:	7330a683e3eed0de5fab64cbeef30999ba1f76f89d3d13742e85630bfc8d84933fc052b3d138ed9d2b707b28eb923801
SHA1 hash:	c9dc45ecdc2fb58e14be58e18b2bb864703d8be3
MD5 hash:	6f9ce67a343b9f8bed90957132be043c
humanhash:	twelve-four-football-leopard
File name:	FAX RECEIPT_SO 151-154.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	752'128 bytes
First seen:	2020-07-16 13:43:48 UTC
Last seen:	2020-07-16 15:48:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:bi2CSVq2tecg1n26op8mZEwVZHz3X2A+rK/ocU:5W26op8mZEwVZHz35o
Threatray	10'720 similar samples on MalwareBazaar
TLSH	6CF4293CFA826805D93D063184A859D07271E78B2A1DC70F69F637585F332EB7B16D8A
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26762/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.368.8433.12344.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389617

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4f22002fa8e6ac42be9455b9e786da31fd301db9392fb387a0948f6e212e02a0/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-16 10:03:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

36 of 48 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=j4raal5i42wefpuukw46pbw2gh6tahnzhex3hb5asshw4ijoakqa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40d1d555d1d73aa499642f57619f6e749ffc9d3439841628032093af5ae8da6c

AgentTesla

4e20252f94c4824e06bfcb274d0deceb6e33b6b09db74c25b029f4972fed8572

AgentTesla

53afc0a7a102b5f223dede42d026f0113c8b98c7049ee8cfae4845a35fa0fb9e

AgentTesla

7c6da3c6cdc2c4ba881925e305c2c2044105546e0b7a8ca1d8c523d8584be05a

AgentTesla

9bdaa1fcc1ff472dd41dadc7e01f9fa8d21adbb34a0576debe64e1ed7bec7e7e

AgentTesla

a7ec6dfb09d3866bdfe3a1306182ad995f309029828f9e1de99bb7f658cacb64

AgentTesla

b5258ddc74fd2d455241f16d2505ab8c67b590fde3f5475be867e28c7856be07

AgentTesla

b69f6ee64e6f0fd78926dc5f41314ac63de7bd5f60969185dc7e48470ca1d0a9

AgentTesla

ff4b6d3bf0c8d4a8c7c547ec8d3b8a747c9c7e2192567c2dc221305b25ee3fbd

AgentTesla

+ 10'710 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200716-k69x31y1qa/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Loads dropped DLL

Reads user/profile data of local email clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/26762/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample