MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93c807a2fb8dff5a30d9f860f1eb98304d8303f8fff4c53c98870201d6d3eb68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93c807a2fb8dff5a30d9f860f1eb98304d8303f8fff4c53c98870201d6d3eb68
SHA3-384 hash: 11fd3fc485692a72b802b7bf339e454c064ecbb3b6aab39c8921685f3509ab15bc6b33d36bdd3d5f3863c4027c9f3738
SHA1 hash: 1b5693cbe7521087c8bb5b46a8706edb71b037a4
MD5 hash: fa0c9ce3695691566ec8fbba088433c6
humanhash: crazy-seventeen-sink-nevada
File name:overdue invoice.pdf...exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:552'448 bytes
First seen:2020-07-16 08:22:25 UTC
Last seen:2020-07-18 06:46:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:w/KPp2k4zUyBWyxw6zSrLRYYDEgXz/tgaTIxhB7LzYWqEv:w/KPSBA6HaEGz/PTML
Threatray 11'142 similar samples on MalwareBazaar
TLSH AEC49DCC3550719EC45E8D768964DC70AA206C62F7FBD207A3C36E9FB93D597CA012A2
Reporter abuse_ch
Tags:AgentTesla DBS exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dbs.com.sg
Sending IP: 103.99.1.159
From: DBS Bank<info@dbs.com.sg>
Subject: TT- Swift Copy: 471/35/13A-2773 From DBS Bank
Attachment: overdue invoice.pdf...zip (contains "overdue invoice.pdf...exe")

AgentTesla SMTP exfil server:
mail.matrixas.in:587

Intelligence

File Origin
# of uploads :
6
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/26533/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.393.3500.9507.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun with Startup directory
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/389473
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246920 Sample: overdue invoice.pdf...exe Startdate: 19/07/2020 Architecture: WINDOWS Score: 100 45 Multi AV Scanner detection for dropped file 2->45 47 Sigma detected: Scheduled temp file as task from temp location 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 7 other signatures 2->51 7 overdue invoice.pdf...exe 5 2->7         started        11 BAVLA.exe 1 2->11         started        13 BAVLA.exe 2->13         started        process3 file4 27 C:\Users\user\AppData\Roaming\zRCQEZ.exe, PE32 7->27 dropped 29 C:\Users\user\...\zRCQEZ.exe:Zone.Identifier, ASCII 7->29 dropped 31 C:\Users\user\AppData\Local\...\tmp9D66.tmp, XML 7->31 dropped 33 C:\Users\...\overdue invoice.pdf...exe.log, ASCII 7->33 dropped 53 Injects a PE file into a foreign processes 7->53 15 overdue invoice.pdf...exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        55 Multi AV Scanner detection for dropped file 11->55 57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->57 59 Machine Learning detection for dropped file 11->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->61 21 BAVLA.exe 2 11->21         started        23 BAVLA.exe 2 13->23         started        signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\BAVLA.exe, PE32 15->35 dropped 37 C:\Users\user\...\BAVLA.exe:Zone.Identifier, ASCII 15->37 dropped 39 Tries to steal Mail credentials (via file access) 15->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->41 25 conhost.exe 19->25         started        43 Tries to harvest and steal browser information (history, passwords, etc) 23->43 signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/93c807a2fb8dff5a30d9f860f1eb98304d8303f8fff4c53c98870201d6d3eb68/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-16 08:24:08 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=speapix3rx7vumgz7bqpd24ygbgyga7y772mkpeyq4badvwt5nua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14ab9ac5f254705d24bf42ac212827c4aebe6f64ba3a9331c8c153bd18195152
AgentTesla
22d92e9b0441722e2eec1d718cfbc78036132d57b15ec9ab1a84170cd1633efe
AgentTesla
2c584579de13e6355e67a813fa388c5cfe131405dd79da6ad6de1fb47b5f842e
AgentTesla
30fe842b10902c8ef83f5de74a6ad0987b391a318f4254ab5a276ab89175b28d
AgentTesla
34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62
AgentTesla
6c14f83aa09c4b45b49bc66096834c964a934f8d171733babb829aaf1f6d579e
AgentTesla
95574ab20f094a30ec1f5d3cd6694e6afd0a5c4809e0151f5bd2b427bbbb33df
AgentTesla
a66773bfc5fe5cfabc1ba18edbf514246699d37ccaace2705a8f4c0ecb6ee8bd
AgentTesla
cae8cc4a40faf9c3474f86baf427e7eb1c63c4d75afec8a99da5f616752ffbdd
AgentTesla
fe6e78fc04cc85915c056447a608233c7094caf911cc8de0e0491184cdaf056b
AgentTesla
+ 11'132 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  3/10
Tags:
n/a
Link:
https://tria.ge/reports/200716-8e7n46tvba/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 78754a57a06bd7b5f2eaa2fbee3ef6ccfcf04dfc1500f9c1dff4f115f67c2929

AgentTesla

Executable exe 93c807a2fb8dff5a30d9f860f1eb98304d8303f8fff4c53c98870201d6d3eb68

(this sample)

  
Dropped by
MD5 563c2430d43ea79f03f55b0c5945a4ff
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/26533/
  
Dropped by
SHA256 78754a57a06bd7b5f2eaa2fbee3ef6ccfcf04dfc1500f9c1dff4f115f67c2929

Comments