MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253
SHA3-384 hash:	dc772a1d23d031b1180aecabaf6f84b6accfa2787c39ff0eb8cf3dbeed3492289ad7724b6d07e76e08d8e8842e165bcb
SHA1 hash:	a5908f29c836ed1b0928a13d04e39ad1d0850fb8
MD5 hash:	f3ac4f5350b90d3dc30a8d4961e288fb
humanhash:	zulu-october-utah-juliet
File name:	Payment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	726'016 bytes
First seen:	2020-09-02 16:42:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:OWQM5jpjfaZPoMh5wXl5gM/59iHjFHrVI/Oo44xr84JiA3MDJEiX:rhF+ZQMh5wXlC/jrfoNr8QmDn
Threatray	9'252 similar samples on MalwareBazaar
TLSH	91F4E02563E8DF69F23D77BA0133465C03F1E142E7B2DA8DDED011891A56BA64723BC2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/457728

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-09-02 15:27:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=kecremqnkthr3sktwaiydwlzxms6mdqnykevuoha2dzqhiomsjjq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

17c38ccce635b7567fb09e4e48c53b5661bdd29e827917a447f0de7741694d71

AgentTesla

4bf95223a897fa6ab4bda57ba941ecedb120c3e0a8564900f4142596e3414585

AgentTesla

4c0ba445450f16973c204aaab8265d888df2d38f822fbfcdf15249fbc3863356

AgentTesla

6c76b0e2b57067304f41c2933d486c67d798d150bff984acc0358e66d046036a

AgentTesla

77f8071b30876bb7f99165b4e52c7730f76b3bb5864a04d1a224d0bf6d9f8299

AgentTesla

86339324135e2584d960711e0adad1563fe4d577ff72a5f0a715b8e1768ae69f

AgentTesla

ccc2680bb054771a7c3677eb8075e3a33b2319c523c0c97976f1ada8896aa8b7

AgentTesla

cfefe5d485164b99beeb1aea8faca9e61f8a53d4b742ebf733922a0896511b50

AgentTesla

cffb6736521771821af04e2caaaf125e1d475bfe7166fcb39ff7db14c41931a7

AgentTesla

+ 9'242 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200902-wtllsq4qxj/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/510512320d54cf1dc953b01181d979bb25e60e0dc2895a38e0d0f303a1cc9253

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/54468/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample