MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67a641524568fcafd0347283ea8cb1eb2a4615ce4034b34ffd2471848aa69082. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 67a641524568fcafd0347283ea8cb1eb2a4615ce4034b34ffd2471848aa69082
SHA3-384 hash: 857144bf14b0af03e6dc4a50e0bd32bf6438dcb91d7a0edb1016d4a612d5bb634eb2675b8f972b3e60235cabc1b3fe72
SHA1 hash: f52c8094e53d58ad71058a1740c7a7d8b216977b
MD5 hash: 8a02fb8903f348fb485c76935f6332f3
humanhash: paris-cold-enemy-batman
File name:prove of payment 7312020.exe
Download: download sample
Signature AgentTesla
File size:757'248 bytes
First seen:2020-07-31 13:36:22 UTC
Last seen:2020-07-31 14:48:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:8VC34DLyXyeHT9izMu7s5kbcOrAtGZA5ujmT0P2hXsPU67eesBZmrL+dn:tKRezc4kP5r6ujmTa2hX8jr
TLSH 3AF4C0047B50E54EC7ABCF7ACAD44800EEB8E4DA4617E38B748273EF19CE36A95015B5
Reporter @James_inthe_box
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
50
Origin country :
FR FR
Mail intelligence
Geo location:
Global
Volume:
Low
Geo location:
NL Netherlands
Volume:
Low
Vendor Threat Intelligence
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255445 Sample: prove of payment 7312020.exe Startdate: 01/08/2020 Architecture: WINDOWS Score: 100 53 Sigma detected: Scheduled temp file as task from temp location 2->53 55 Yara detected AgentTesla 2->55 57 Yara detected AntiVM_3 2->57 59 8 other signatures 2->59 7 prove of payment 7312020.exe 5 2->7         started        11 Mymp4.exe 2->11         started        13 Mymp4.exe 1 2->13         started        process3 file4 31 C:\Users\user\AppData\...\&startupname&.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmpFFC1.tmp, XML 7->33 dropped 35 C:\...\&startupname&.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\...\prove of payment 7312020.exe.log, ASCII 7->37 dropped 61 Injects a PE file into a foreign processes 7->61 15 prove of payment 7312020.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 prove of payment 7312020.exe 7->21         started        27 3 other processes 7->27 23 Mymp4.exe 2 11->23         started        63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->63 65 Machine Learning detection for dropped file 13->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->67 69 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 13->69 25 Mymp4.exe 2 13->25         started        signatures5 process6 file7 39 C:\Users\user\AppData\Roaming\...\Mymp4.exe, PE32 15->39 dropped 41 C:\Users\user\...\Mymp4.exe:Zone.Identifier, ASCII 15->41 dropped 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->43 45 Installs a global keyboard hook 15->45 29 conhost.exe 19->29         started        47 Tries to steal Mail credentials (via file access) 23->47 49 Tries to harvest and steal ftp login credentials 23->49 51 Tries to harvest and steal browser information (history, passwords, etc) 23->51 signatures8 process9
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-31 01:04:16 UTC
AV detection:
20 of 31 (64.52%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Reads user/profile data of local email clients
AgentTesla Payload
AgentTesla
Threat name:
AgentTesla
Score:
1.00

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other

Comments