MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 88b855230b87d175f2d18abc165aeabc52e8f2952ac09d2db7e0f4d012f3ec43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 88b855230b87d175f2d18abc165aeabc52e8f2952ac09d2db7e0f4d012f3ec43
SHA3-384 hash: c6d828818cb43ae92186e61c8234e8364d4a8ae7aed98f45b83ebc3dcbaa84a964441df4a31976d6ef49486a11c28657
SHA1 hash: c258783242a75f34c6fdf39b5b877d00a77bef50
MD5 hash: d3e658b177c856dbf4b18f367a6cb272
humanhash: jupiter-avocado-may-eleven
File name:Please Confirm Your Shipment Address.0001.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'829'696 bytes
First seen:2020-07-17 21:35:49 UTC
Last seen:2020-07-17 21:49:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 98304:UdH5FJ8MvqYZtQPcOOWRGhj3vZItVhQxHW1feaHxcjL:UHfTS1dRDQJYJHKL
Threatray 10'586 similar samples on MalwareBazaar
TLSH DA26123D25869A14DA3F0D79C8BC35D962B075473A21CB0EBACE077C5F8638B7B0615A
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27576/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Connection attempt to an infection source
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/389218
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246803 Sample: Please Confirm Your Shipmen... Startdate: 19/07/2020 Architecture: WINDOWS Score: 66 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AgentTesla 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 2 other signatures 2->38 7 Please Confirm Your Shipment Address.0001.exe 5 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        process3 file4 24 C:\Users\user\AppData\Roaming\Caudio1.exe, PE32 7->24 dropped 26 C:\Users\user\...\Caudio1.exe:Zone.Identifier, ASCII 7->26 dropped 28 Please Confirm You...ddress.0001.exe.log, ASCII 7->28 dropped 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->30 dropped 14 Caudio1.exe 7->14         started        17 cmd.exe 1 7->17         started        process5 signatures6 42 Multi AV Scanner detection for dropped file 14->42 44 Machine Learning detection for dropped file 14->44 19 reg.exe 1 1 17->19         started        22 conhost.exe 17->22         started        process7 signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 19->40
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/88b855230b87d175f2d18abc165aeabc52e8f2952ac09d2db7e0f4d012f3ec43/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 02:14:45 UTC
AV detection:
26 of 31 (83.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=rc4fkiylq7ixl4wrrk6bmwxkxrjor4uvflaj2lnx4d2naext5rbq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04100ed81b98bad69ba33472802db912c403111f7fef1cb58f8981b9ce310ee3
AgentTesla
757811211cb9b67549000151e38132dabe4f0791589ca1559cca94e9993cd7cc
AgentTesla
8846c5d088724ae06915e0e0f987ca3a65fba368095bc73f3109f6cb7841318b
AgentTesla
99dc64c72b1f6454e497a499216ad187c66e00f42ad23e3c5d240c39ed10b667
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
b529cca79f06479c44285da507549c93a1ed77a040d884c8bab8c2e4f9840a76
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
d9db86325cb63915a31775ab7b78f14802fa077e3aed9122f0fb03e9f39d05f2
AgentTesla
f242ad8f253e4e481529cffa7b3d697683649ba31b8c8500f2d24d2bf591e553
AgentTesla
f93ca4cd3ed07276972b89aee75211d52551197a2d1c5c8c3f01ed85aa13a4ea
AgentTesla
+ 10'576 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200717-dtklnn692x/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/88b855230b87d175f2d18abc165aeabc52e8f2952ac09d2db7e0f4d012f3ec43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 88b855230b87d175f2d18abc165aeabc52e8f2952ac09d2db7e0f4d012f3ec43

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27576/

Comments