MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 6 File information Comments

SHA256 hash: 94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
SHA3-384 hash: d813351dde5bdd6751b4085f09f452574750b706a9184242209ae649d3f1738c48cdad246fef3c45092d3f6e8b26355d
SHA1 hash: a95a26499d30f48ca0b23e17b7273b1e6b92f8ac
MD5 hash: 724bce9be00d521c9ae6075d50434b11
humanhash: ink-eighteen-sierra-kilo
File name:RFQ_99705546,99805546_Mark Cansick.exe
Download: download sample
Signature AgentTesla
File size:581'120 bytes
First seen:2021-09-28 08:27:25 UTC
Last seen:2021-10-04 08:25:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (23'043 x AgentTesla, 5'566 x Formbook, 3'013 x Loki)
ssdeep 12288:hXBNi+hBr7IUAvJZrd4r9gGrWLYaZ4daRiWLOYe0AUtXPcI7E:dBNi+hBr8UAvJ8r9gGy3kaRiWCH0Aqcl
Threatray 10'338 similar samples on MalwareBazaar
TLSH T181C4BFDE1C68A7CFFB1E01F8F679279C10AB9028D8EBB6D3D606B033107A6595924CD5
Reporter @GovCERT_CH
Tags:AgentTesla exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
85
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
ID:
1
File name:
RFQ_99705546,99805546_Mark Cansick.exe
Verdict:
Malicious activity
Analysis date:
2021-09-28 08:30:23 UTC
Tags:
n/a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 492068 Sample: RFQ_99705546,99805546_Mark ... Startdate: 28/09/2021 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->35 37 Found malware configuration 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 13 other signatures 2->41 7 RFQ_99705546,99805546_Mark Cansick.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\sucEaYWuNda.exe, PE32 7->23 dropped 25 C:\Users\...\sucEaYWuNda.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp1646.tmp, XML 7->27 dropped 29 RFQ_99705546,99805...ark Cansick.exe.log, ASCII 7->29 dropped 43 Adds a directory exclusion to Windows Defender 7->43 45 Injects a PE file into a foreign processes 7->45 11 RFQ_99705546,99805546_Mark Cansick.exe 6 7->11         started        15 powershell.exe 25 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 31 smtp.regalbelloit.com 11->31 33 us2.smtp.mailhostbox.com 208.91.198.143, 49822, 49823, 587 PUBLIC-DOMAIN-REGISTRYUS United States 11->33 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Moves itself to temp directory 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 3 other signatures 11->53 19 conhost.exe 15->19         started        21 conhost.exe 17->21         started        signatures8 process9
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-09-28 08:28:05 UTC
AV detection:
14 of 45 (31.11%)
Threat level:
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
9595d7f684aad56aa9dd51dd98c0ff89995cbe1d9d814ccbe0f393eac0d4a69b
MD5 hash:
a548cf1831fecb4d6bd3cd1716d4b76d
SHA1 hash:
51b0ae5e3dd89c9ad7121d95f334ba761d939a1f
SH256 hash:
afe85dda504f0549ec0db7cfd668b9242f47015a34b15b24b9ddffbaaa58d719
MD5 hash:
040b291dfcf24a54b20a36966eaf199e
SHA1 hash:
3a74e549db10e1a59e41e691ab4de1b1d9a11799
SH256 hash:
6a671abf66304301602b4afd0902840bc3915455cffc58d8916eaa693abe33ec
MD5 hash:
681eca96e4e7b513317178dc7065ef39
SHA1 hash:
24af82015bc57d125f1ccb759840118b2283d1dc
SH256 hash:
69966b2ca95105577cdb689a7eacd5b4b4a1531bfde5aab1ba300917214f422d
MD5 hash:
bb5861fe882a9e17971ce8187238389a
SHA1 hash:
21cf33fb4f39e097e816091c5837ba6d46486e2e
SH256 hash:
94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990
MD5 hash:
724bce9be00d521c9ae6075d50434b11
SHA1 hash:
a95a26499d30f48ca0b23e17b7273b1e6b92f8ac
Malware family:
Agent Tesla v3
Verdict:
Malicious

YARA Signatures


MalareBazaar uses YARA rules from several public and non-public repositories, such as Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious proccess dumps they may create. Please note that only results from TLP:WHITE rules are being displayeyd.

Rule name:ach_AgentTesla_20200929
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Rule name:Skystars_Malware_Imphash
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 94bc5b095176ccf49917563287006f3efd903cac47d48e251f4f4554ee87c990

(this sample)

  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment

Comments