MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67147087feb1efc01a641bda1a605bf30457f1cbc8b0143aa997b3bd323e66b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 67147087feb1efc01a641bda1a605bf30457f1cbc8b0143aa997b3bd323e66b8
SHA3-384 hash: 23ebe63d38bfaa0372355f5dc79190cf8fb3a3de1f81183d6e1bbc89e15d4f0e7702e9bda8bbd6151d6b0516e482f542
SHA1 hash: 99684b449de9c83c9a1c0dc326c693bedd61e59a
MD5 hash: a636c86dbb7161a2cffbd184ff48ec3d
humanhash: two-july-enemy-twelve
File name:IMG-109876787667873432332-232095.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:577'536 bytes
First seen:2020-08-11 13:59:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a18a672aeeae86dc8783de7e30f7d80d (2 x AgentTesla)
ssdeep 12288:Mgu9dxtqrDutMCVFy79ZbWtpfd/WIzmrsB7wF8M3xIrqFAJTiIsJIMEJS:pKXqPh579std2rC7wF8ezrynJ
Threatray 11'003 similar samples on MalwareBazaar
TLSH D8C48C41B245C19AEEC105797292EBBA45653D343129CA07FB873B2E3D723DB4126F8B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: inventive.herosite.pro
Sending IP: 167.99.192.252
From: cuentas <cuentas@afslogistics.in>
Subject: Re: ConfirmaciĆ³n de aviso de pago
Attachment: IMG-109876787667873432332-232095.IMG (contains "IMG-109876787667873432332-232095.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43474/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Sending a UDP request
Modifying an executable file
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/419161
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 261960 Sample: IMG-109876787667873432332-2... Startdate: 11/08/2020 Architecture: WINDOWS Score: 100 39 Found malware configuration 2->39 41 Yara detected AgentTesla 2->41 43 Sigma detected: MSBuild connects to smtp port 2->43 45 3 other signatures 2->45 8 IMG-109876787667873432332-232095.exe 3 2->8         started        process3 file4 31 C:\Users\user\AppData\Local\...\zenda.exe, PE32 8->31 dropped 33 C:\...\d9b898d6f1924b7395f3f4df1302c0b9.xml, XML 8->33 dropped 11 IMG-109876787667873432332-232095.exe 1 8->11         started        13 MSBuild.exe 8->13         started        16 cmd.exe 1 8->16         started        process5 signatures6 18 IMG-109876787667873432332-232095.exe 1 11->18         started        21 MSBuild.exe 11->21         started        61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->63 23 conhost.exe 16->23         started        25 schtasks.exe 1 16->25         started        process7 signatures8 47 Writes to foreign memory regions 18->47 49 Allocates memory in foreign processes 18->49 51 Injects a PE file into a foreign processes 18->51 27 MSBuild.exe 4 18->27         started        process9 dnsIp10 35 chenklins.com 89.45.67.200, 49734, 587 BELCLOUDBG Netherlands 27->35 37 mail.chenklins.com 27->37 53 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->53 55 Tries to steal Mail credentials (via file access) 27->55 57 Tries to harvest and steal ftp login credentials 27->57 59 2 other signatures 27->59 signatures11
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/67147087feb1efc01a641bda1a605bf30457f1cbc8b0143aa997b3bd323e66b8/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 13:12:48 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m4khbb76whx4agtedpnbuyc36mcfp4olzcybiovjs6z32mr6m24a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1aa7a26dc92fbd8b4bb9ddd986a7160525ed218434d15d7bfc13e8b4dc5a7275
AgentTesla
4163f850032d58f8df3a47be1173ff7ff5d89c989512bd08979e724261994345
AgentTesla
5a023b9d4e63aab62c95820c69b08fc286f1ff99f7eb9381c5a83b258784063f
AgentTesla
6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6
AgentTesla
902924b52c5bb0479fecdd9802b067aaa25f1cf89ac97c91abe6cbe59a2ba21c
AgentTesla
91c8f2961875cc9e46f40ea917b6d83c45301926d88bb8a0af857f3caedcf8bc
AgentTesla
923d7900589564387968fb04fd33fd8b4f5175d39f938469a54fb8190eacc795
AgentTesla
acd5a65b4ee322ecc2aea1940bc67d39027d761e6d6f318ba964b2c330cdec9d
AgentTesla
e72bbdfcc56339eb2aca00e01162d7fdd1004d9992150f2dea1b014d6b4469ac
AgentTesla
fcdececb42372d5ae1a1a1d367046476f916624878980498984983f00add62ad
AgentTesla
+ 10'993 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200811-wrph7r5q7n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/67147087feb1efc01a641bda1a605bf30457f1cbc8b0143aa997b3bd323e66b8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img ffcec4984a2f2592b1f5bb2bf316a232f78b6c22b8d0a7d957ce1af0d098f904

AgentTesla

Executable exe 67147087feb1efc01a641bda1a605bf30457f1cbc8b0143aa997b3bd323e66b8

(this sample)

  
Dropped by
MD5 c7483b512ca185d3119192a208fa20b4
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ffcec4984a2f2592b1f5bb2bf316a232f78b6c22b8d0a7d957ce1af0d098f904
Cape
Cape
https://www.capesandbox.com/analysis/43474/

Comments