MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93716c86a95207d2a151c0b3ff70e14b16fd7bf7dace1b17449f51eb05a17c2a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93716c86a95207d2a151c0b3ff70e14b16fd7bf7dace1b17449f51eb05a17c2a
SHA3-384 hash: afd69e24b690148ccc1aa5e8a2f1296a3877c3f99745824f2b5768a3993deeb1e8406775e3899cd9bcf74d2b6d91c04b
SHA1 hash: 4e1f0235b3a2ce6d8d308cac88a02428ef1f6ebe
MD5 hash: 301f883fe5145bad9b1e5044c691a7ba
humanhash: chicken-oranges-magazine-moon
File name:301f883fe5145bad9b1e5044c691a7ba.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'606'968 bytes
First seen:2020-07-29 12:01:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 00be6e6c4f9e287672c8301b72bdabf3 (116 x RedLineStealer, 70 x AsyncRAT, 55 x AgentTesla)
ssdeep 24576:6NA3R5drXodUxPwyJroMfJJNy7q0vapy1Vu8opsi5UFiO9z1Aj3eJ13o:z5oIIMfDqv+yXu8omKUFLz1Aj3uRo
Threatray 277 similar samples on MalwareBazaar
TLSH 9075EF23E35344FBD4790734459B5B30AEBAAD302AB2974BDB6075296C72350BE24F93
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.zp-aluminuim.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/34862/
Detection(s):
SecuriteInfo.com.Troj.NanoCo_TZ.22029.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Creating a file in the %temp% subdirectories
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Creating a file
Launching a process
Using the Windows Management Instrumentation requests
Sending an HTTP GET request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
60 / 100
Link:
https://www.joesandbox.com/analysis/402501
Signature
Allocates memory in foreign processes
Yara detected AgentTesla
Yara detected AntiVM autoit script
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 253625 Sample: C65zcpljRH.exe Startdate: 29/07/2020 Architecture: WINDOWS Score: 60 72 Yara detected AgentTesla 2->72 74 Yara detected AntiVM autoit script 2->74 14 jxuk.cmd 1 2->14         started        16 C65zcpljRH.exe 90 2->16         started        19 jxuk.cmd 2->19         started        21 jxuk.cmd 2->21         started        process3 file4 23 wscript.exe 14->23         started        68 C:\Users\user\AppData\Local\Temp\...\jxuk.cmd, PE32 16->68 dropped 25 jxuk.cmd 4 3 16->25         started        28 wscript.exe 19->28         started        30 wscript.exe 21->30         started        process5 dnsIp6 32 jxuk.cmd 23->32         started        70 192.168.2.1 unknown unknown 25->70 34 wscript.exe 1 25->34         started        36 jxuk.cmd 28->36         started        38 jxuk.cmd 30->38         started        process7 process8 40 wscript.exe 32->40         started        42 jxuk.cmd 34->42         started        44 wscript.exe 36->44         started        process9 46 jxuk.cmd 40->46         started        48 wscript.exe 1 42->48         started        50 jxuk.cmd 44->50         started        signatures10 53 wscript.exe 46->53         started        55 jxuk.cmd 48->55         started        76 Allocates memory in foreign processes 50->76 process11 process12 57 jxuk.cmd 53->57         started        60 wscript.exe 55->60         started        signatures13 78 Allocates memory in foreign processes 57->78 62 jxuk.cmd 60->62         started        process14 process15 64 wscript.exe 62->64         started        process16 66 jxuk.cmd 64->66         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93716c86a95207d2a151c0b3ff70e14b16fd7bf7dace1b17449f51eb05a17c2a/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-29 08:22:50 UTC
AV detection:
30 of 48 (62.50%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=snywzbvjkid5fikrycz764hbjmlp267x3lhbwf2et5i6wbnbpqva._file
Verdict:
malicious
Similar samples:
0eb41e962d7be24fe14670c0bda3283dd6db00bbe813d1d93da23c125af8e4dc
AgentTesla
1c9ac73de149a9df1d58572db60bfa8824470f11c109ea55b91aada0d6c8a2a6
AgentTesla
3046d9e6d364bf2dbb3d67251919fa792769c87dbe2a36cb76faf5217fe32137
AgentTesla
39a0ad9117de868c1aa3f891c58e750ef8688b829582c08c4c39098b94bf4f9c
AgentTesla
3b671c3d24db562f33df95a58e3aa4a74c33cc07a4a609804d1d11fab98c18cc
AgentTesla
70d991e7c073c8d0706a8daa9b78aa7684c8c856989b66b53f2a3b79dfa1f814
AgentTesla
982cf9ea20248fe7a489611a7c7e64fe1603d2517a007610c7b24e407881cb5f
AgentTesla
bca94673146a9b4a47b85b41808b4068ca5e0b15b42deda0dc31a1db9f6b5e7a
AgentTesla
be229bdaf4ed159fcee3b29cf41851f25ce584b88aac09aaad69bf51e1b14577
AgentTesla
c2c3851dfab3b0b959145307759d5ed1cb64d92b7e0af87b79f0df0ee7b71e38
AgentTesla
+ 267 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence family:nanocore
Link:
https://tria.ge/reports/200729-rxr53sez6s/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Loads dropped DLL
Executes dropped EXE
AgentTesla
NanoCore
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Crypter
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/93716c86a95207d2a151c0b3ff70e14b16fd7bf7dace1b17449f51eb05a17c2a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 93716c86a95207d2a151c0b3ff70e14b16fd7bf7dace1b17449f51eb05a17c2a

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/34862/
  
URLhaus
https://urlhaus.abuse.ch/url/421268/
  
Delivery method
Distributed via web download

Comments