MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8
SHA3-384 hash:	ec08aaffcfae783dea65e03b8432c5bbaabf24da6eaf9d219d710860a592a3519447102fef19df6e0ca2792fdd2afbd3
SHA1 hash:	a8dd6fa0df930adc680ba59e21a38f65ff2521bf
MD5 hash:	5ec10a1838558ef8052be5971de30548
humanhash:	white-florida-georgia-echo
File name:	PurchaseOrder0820.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	797'184 bytes
First seen:	2020-08-19 13:36:12 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:HKNLdi9VZv+Yvvhoqoz6AKLVpmebfOyvuign0QjJR:HKNLdi9VB+Yv5oqozwV4Kly9R
Threatray	10'514 similar samples on MalwareBazaar
TLSH	AA053A3D35816407E63C413184AC9AD27375B64E3B42CB2F76DA176EAF0328B3B551AE
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: host75.registrar-servers.com
Sending IP: 198.187.29.67
From: Helen <helen@unischolarboard.com>
Subject: Order for August
Attachment: PurchaseOrder0820.img (contains "PurchaseOrder0820.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/48566/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/438234

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-08-19 04:12:19 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=s5n5ozcrafu3fdf54okhi3wuyjvqltqemxbbqsdt2xq4nykl7lua._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0e928609807c597f7046341f0a335738ae8efa905be3c51de1f47d3c5ffb1996

AgentTesla

1328e0030337b326a962b3369cc8dd2b474de98267e8e9fdc3684f4e5ecb9984

AgentTesla

4c1a433244a83a823b97c4739c5ef1d79f078f0072d580046e295e6c0271f464

AgentTesla

5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7

AgentTesla

5e2b50ea71dab4a9890936aa161e9063c33aa43088bc88ed55707b6684aa0f46

AgentTesla

6bfaed4b195fabe34d859307606ab45f4be80702d73e60efce3147b3a75d48f6

AgentTesla

7dc693a09183412e6567e278cad02a34b8d4779ba93fddf8c34b1daaf78400e1

AgentTesla

a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3

AgentTesla

dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f

AgentTesla

+ 10'504 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200819-g6rwbn571x/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Barys

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/975bd764510169b28cbde394746ed4c26b05ce0465c2184873d5e1c6e14bfae8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar