MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9370eb77b940552817196f4ada9b057a70b278db9352315e7ff8ed45d3b33cc4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	9370eb77b940552817196f4ada9b057a70b278db9352315e7ff8ed45d3b33cc4
SHA3-384 hash:	68770f5f197e05e0152f89619265fcf941eaac7666365c2783c1714a12d937c16bb88b7a5d2647ca43e3bfbf81e11827
SHA1 hash:	4fb9eee5e96cbb434b54fe77279c06c11a7aa1ba
MD5 hash:	fafa2a211b3efb1da6f3087a354528c3
humanhash:	xray-beryllium-south-quiet
File name:	Uk2NiMBhV8Y3iyu.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	573'952 bytes
First seen:	2020-07-16 08:22:46 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:Fww0Fj2k4zUcyBh8MHvMCXs3gYgG6Ohjk/NO/z8dvuMwSDOh:FhiT80vDYJhjkK
Threatray	11'112 similar samples on MalwareBazaar
TLSH	72C48CD83950719EC44E8D768964DC30AA206C66F7FBE207A3C36D9F793C687CE141A2
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: slot0.allfrice.com
Sending IP: 45.95.169.51
From: Kim<info@ulmanfoundation.org>
Subject: PO-7890374
Attachment: NEW-ORDER.IMG (contains "Uk2NiMBhV8Y3iyu.exe")

AgentTesla FTP exfil server:
asnbanknl.com:21

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26535/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Enabling autorun with Startup directory

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389477

Signature

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9370eb77b940552817196f4ada9b057a70b278db9352315e7ff8ed45d3b33cc4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-16 07:20:44 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=snyow55zibksqfyzn5fnvgyfpjyle6g3snjdcxt77dwulu5thtca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

6d64f2c47bc182a160e02ceebb8e194dd627fb83d762f9d1609d4f1d7cf3ff89

AgentTesla

8210f4c4fedbca54d332df8d9e672cef8a4424695c2ffce581bf526a1537be27

AgentTesla

88ac38fd4d4a5bff6e2f09c5071b6b8d654e2d65da6662c02d14fabb32047ca7

AgentTesla

92dcc5b8d659d632e41ab1f27b1d0ee2062d46c82a71d06a6c3c6c4e63c7293e

AgentTesla

960bdf7b7b3bd263fcd5aa32f4b0ddb567349d46f6d5062a8000981675bffe6f

AgentTesla

9bca8f7366390a1fac5bfcc29896ce8d4e75475eb9a3b41af7293e9c6b718451

AgentTesla

ac6059835dff236452027450749d077775411e277447a711e5f53bea47262821

AgentTesla

d71568c813508e5ca61308f597bfccf2f11fec2d5ec90bd2287d3e4b7cbb3e11

AgentTesla

f6fc22ec88e5653d35064b62baba0b24d9a66391412f21488053e6df37b87c98

AgentTesla

+ 11'102 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200716-gfhwjqc28e/

Behaviour

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar