MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7be1a27c42f1dd1703b4e35bb619ae44fe55c29abe8ad204bdc1cdd91e75e7a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7be1a27c42f1dd1703b4e35bb619ae44fe55c29abe8ad204bdc1cdd91e75e7a8
SHA3-384 hash: d7f062aa384cdc907588d6b1efd5cf45f4dd9bcc1fe7ad2ea4492e6a2d2251067aef4e3c681e4d56fc72e315bda2340e
SHA1 hash: f3f922a95c53793217f7a0c3dd5f6879872d1db7
MD5 hash: 3a917a8551132d01bfa74f6bf855274e
humanhash: eleven-florida-bakerloo-four
File name:gunzipped
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'112 bytes
First seen:2020-07-16 10:05:48 UTC
Last seen:2020-07-16 11:10:03 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:9Bh32k4zU2aRuBZaf7fLAQKlvAK1RTjMU/8z/B8yeG8:X6U+7XzvMa8
Threatray 11'129 similar samples on MalwareBazaar
TLSH 24B48CD83910B59EC91E8D768954DC70A6106C66F3FBE20763C76E9F793C687CB042A2
Reporter abuse_ch
Tags:AgentTesla


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.itrad3r.com
Sending IP: 45.140.168.119
From: Bonfiglioli PVT <Info@bonfglioli.com>
Subject: Purchase Order
Attachment: P.O.gz (contains "gunzipped")

AgentTesla SMTP exfil server:
mail.kinangopdairy.co.ke:587

AgentTesla SMTP exfil email address:
james.muiruri@kinangopdairy.co.ke

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26656/
Detection(s):
SecuriteInfo.com.CAP_HookExKeylogger.15083.6862.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389541
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246956 Sample: gunzipped Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 7 other signatures 2->35 7 gunzipped.exe 5 2->7         started        process3 file4 19 C:\Users\user\AppData\...\fYazAgQcXY.exe, PE32 7->19 dropped 21 C:\Users\...\fYazAgQcXY.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp36FF.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\gunzipped.exe.log, ASCII 7->25 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Injects a PE file into a foreign processes 7->43 11 gunzipped.exe 10 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 mail.kinangopdairy.co.ke 88.99.90.30, 49717, 49718, 587 HETZNER-ASDE Germany 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/7be1a27c42f1dd1703b4e35bb619ae44fe55c29abe8ad204bdc1cdd91e75e7a8/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 10:07:06 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ppq2e7cc6horoa5u4nn3mgnoit7flqu2x2fnebf5yhg5shtv46ua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065e8a67f2f183b639efbce3d4014c2d21e658f0e7fb92ae57a6cef9acd12626
AgentTesla
1e351911bf4f3405c644d9145ba2947cf78e9049578fe1e64b3466478ad3e1cf
AgentTesla
29285c1e0f58e12ace807098090275535b37d6faf0379372b4ae41299cca5c3f
AgentTesla
519675edeedff67d6e38db3a65860747facf59b0301ca98fb85c52a135017791
AgentTesla
7248d0601627171f4663a14d2e7ca4d80dc8060cd8e126ff18b53d9139b5e423
AgentTesla
960bdf7b7b3bd263fcd5aa32f4b0ddb567349d46f6d5062a8000981675bffe6f
AgentTesla
a385cf35d627fa6e686aa5b19d2196180460707500e430330c0dce28d7815481
AgentTesla
ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821
AgentTesla
b4e29b2c8ddeddb4aca873321f9d0ca3271c086ad5e624ca5c928751a49c5cef
AgentTesla
c57e0fc02e939ef6d9f2e1d92cd74d6ed7df502a1c2ded6e8ae68f6bc5ff3aec
AgentTesla
+ 11'119 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-xeaseayvs2/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 5427c1457c50731447fbb29bd54f668519755700ccfde5f06a04e2e2812c2286

AgentTesla

Executable exe 7be1a27c42f1dd1703b4e35bb619ae44fe55c29abe8ad204bdc1cdd91e75e7a8

(this sample)

  
Dropped by
MD5 69884ed70f87aa6942ce34e3b506dbb9
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26656/
  
Dropped by
SHA256 5427c1457c50731447fbb29bd54f668519755700ccfde5f06a04e2e2812c2286

Comments