MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a38416c96cd729c983630873174412ea5a61f140dfd6aaa1e88a6fbaa083002. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a38416c96cd729c983630873174412ea5a61f140dfd6aaa1e88a6fbaa083002
SHA3-384 hash: ada1551522dad3354ece569217458b816d1afee48b8b27ec1f855178cf4a9930acf54d8aa0dabdf280bf0198e347f304
SHA1 hash: 9aa5431a26956d34499c6418a64f9e93b37dc4ac
MD5 hash: 9f0eea125c8112fba571e60b1d6f5cb4
humanhash: colorado-diet-east-hawaii
File name:BOQ & SPECIFICATIONS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:567'808 bytes
First seen:2020-07-21 07:35:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 6144:oMHzunHrzSyRw6TB0Db1x+/QZaF0ODGasecq1A+WRwwgvCVyH+nnbPtgaZPIoEBP:+bSDhx+QODGRQA+KHsHObPtgaCUPq
Threatray 10'653 similar samples on MalwareBazaar
TLSH 26C49C14E7F84AD9E3BA17B9E434004087B5B61AA7E6E3985B91F0ED1C22750CB13F67
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sieckgroup.net
Sending IP: 95.211.208.58
From: Ivan Chan <procurement3@sieckgroup.net >
Reply-To: purchase1@sieckgroup.net
Subject: RFQ_KATARA-TOWERS_METAL-WORKS
Attachment: BOQ SPECIFICATIONS.rar (contains "BOQ & SPECIFICATIONS.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29810/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Launching the process to change network settings
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/392744
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248618 Sample: BOQ & SPECIFICATIONS.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 50 Found malware configuration 2->50 52 Sigma detected: Capture Wi-Fi password 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 3 other signatures 2->56 8 BOQ & SPECIFICATIONS.exe 5 2->8         started        11 LKUgjc.exe 2 2->11         started        13 LKUgjc.exe 1 2->13         started        process3 file4 32 C:\Users\...\BOQ & SPECIFICATIONS.exe.log, ASCII 8->32 dropped 15 RegSvcs.exe 1 4 8->15         started        20 RegSvcs.exe 8->20         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        process5 dnsIp6 34 smtp.yandex.ru 77.88.21.158, 49718, 587 YANDEXRU Russian Federation 15->34 36 smtp.yandex.com 15->36 30 C:\Users\user\AppData\Roaming\...\LKUgjc.exe, PE32 15->30 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Tries to steal Mail credentials (via file access) 15->40 42 Tries to harvest and steal ftp login credentials 15->42 48 3 other signatures 15->48 26 netsh.exe 3 15->26         started        44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->46 file7 signatures8 process9 process10 28 conhost.exe 26->28         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/8a38416c96cd729c983630873174412ea5a61f140dfd6aaa1e88a6fbaa083002/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-21 07:37:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ri4ec3ewzvzjzgbwgcdtc5cbf2s2mhyubx6wvkq6rctpxkqigaba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2603522c96e103c7707dc88be9b18bb603fc8d57a7f8635a9c5c6365cdff955d
AgentTesla
349935f136cee03a2882fa46b0f646028068288a7b867ff057ed0df477ebaf5c
AgentTesla
3f7417d4b9f49c910340aa5797f17cb9899543411e476aaca96fa314ee4d5397
AgentTesla
81df88e9a99afeac94a4154b2b731fbc245fb3a7451d65db49130dd6a39d8586
AgentTesla
95f2db0071adb3c99b50c41ecdecbe4c6c18e9318bea7d8cd6743aff619a9f8f
AgentTesla
9b8bfd519d8bbe5a7c285f61c73abef27b4e18a22076d036698ec943b5e61c01
AgentTesla
ae578e4f421d63f6808871c92c4d019602d4fc27d5abaaf207703ccbbdb50a18
AgentTesla
c82a5ce771ee4c6afb7406184afba40c9aa6281c54cb9d6eeef5861d476cb3e9
AgentTesla
f7528188692c18bb7e9f48e7951fecee4ce70e99e7787e0ea48ea80bc8cc1fe9
AgentTesla
fade4888c4d9578792698d19cd87ee1bff8bdf2682313175c23313cfbd4dd681
AgentTesla
+ 10'643 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200721-aae2tbh3ls/
Behaviour
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Modifies service
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/8a38416c96cd729c983630873174412ea5a61f140dfd6aaa1e88a6fbaa083002

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 21539474532ca6e89666c5b0b6e98b406bbca1773a5a29bc188129a43a3a24b8

AgentTesla

Executable exe 8a38416c96cd729c983630873174412ea5a61f140dfd6aaa1e88a6fbaa083002

(this sample)

  
Dropped by
MD5 5cdbb9724d9a42f2f2966a417ea4644e
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29810/
  
Dropped by
SHA256 21539474532ca6e89666c5b0b6e98b406bbca1773a5a29bc188129a43a3a24b8

Comments