MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 62b12b5aa0a143e4e524a373433964af7789445282fbf8247be68e57c8befaa9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 4 File information Comments

SHA256 hash:	62b12b5aa0a143e4e524a373433964af7789445282fbf8247be68e57c8befaa9
SHA3-384 hash:	4c257bd97ec4233963cd5d2ed9fd016bb95563ae6f1e65570aa6bd2de40ddd58d102915b596b9f40d3153e6adff21fc9
SHA1 hash:	9f27726fe7a7253423d23c77b353d3b414f738c3
MD5 hash:	59942dd4d696fc76bd89f180b6bcd242
humanhash:	alpha-nuts-fourteen-idaho
File name:	Scan docs.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	728'064 bytes
First seen:	2020-07-25 07:38:08 UTC
Last seen:	2020-07-25 08:57:37 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	858a931c79a9e89ac12e565a67a29a38 (1 x FormBook, 1 x AgentTesla, 1 x RemcosRAT)
ssdeep	12288:m0f5kFb4nCjrJlDdFsG9JApKMTjTzH77Z59dOR+:3RkCCj/BF4pKMXvZ5Y+
Threatray	11'780 similar samples on MalwareBazaar
TLSH	88F4C076E7D14437C123267D9D1B976CA83ABE10295D19876FE91C0DAF3B282783B183
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: gw.vietinaviva.vn
Sending IP: 42.112.208.197
From: TRUONG THI HIEN TRANG <truongthihientrang@sales.aviva.com.vn>
Subject: PAYMENT ADVICE - TELEGRAPHIC TRANSFER NO. M88SI1808BU00250
Attachment: Scan docs.rar (contains "Scan docs.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/32342/

Detection(s):

PUA.Win.Packer.BorlandDelphi-15

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Changing the hosts file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/397879

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the hosts file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/62b12b5aa0a143e4e524a373433964af7789445282fbf8247be68e57c8befaa9/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-24 22:41:16 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=mkyswwvaufb6jzjeunzugolev53ysrcsql57qjd342hfpsf67kuq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

38646a30918b6636c6936f666b3624cde1cd32000733502782890aa52d9fa2a9

AgentTesla

3f5e9228e55bcc3b1275b7781683f6465921db947bfa6897a62bd5b7a1d15474

AgentTesla

6b2503a98a3f1b29173e7e42867b4ac5e21a825348b791ad4a6ea12966720514

AgentTesla

81e1b005ad6288e3342303bb5f923ac974cd409220848cb371c0fdac7f7af6a4

AgentTesla

a72d19bc0c550d6ac3e8e6ef34bf507091219e72091a76bb7d1950848d4837b7

AgentTesla

ad5d194018074784d3a8ac9aa334d5b0b4c8ec9fe721ba7870ef054e29d4529d

AgentTesla

c5690f21ed72510ec7c5ffd5b7ee052d9fa73a376f3eb740bf4af954772ad0a1

AgentTesla

e71c74d33683e14022e6d0f0e7a14efcf744c7d4aec03216934dbf17eba9eacb

AgentTesla

f7fe3c3f88aef6e3994fb4fd091930f5870998c1de9785c65b1294718563af97

AgentTesla

+ 11'770 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200725-ptjwwam2rn/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Drops file in Drivers directory

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/62b12b5aa0a143e4e524a373433964af7789445282fbf8247be68e57c8befaa9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar