MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 992224c3cf97b0d58a9a0c5af443de835abecf518c8c9da0c7724f8929922f8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	992224c3cf97b0d58a9a0c5af443de835abecf518c8c9da0c7724f8929922f8f
SHA3-384 hash:	cf424f48f58a44fe4d59a82de9a9571e9d52fefab63e5b029234fc97bdb8618268cba7c3104b38466ebded8f3235648e
SHA1 hash:	2a00d33b20114c6e51c933b7046e2c125e9dd600
MD5 hash:	9946eeb0fcd3999a02b252fa30a8628d
humanhash:	idaho-paris-five-item
File name:	Copia de pago.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	524'288 bytes
First seen:	2020-08-19 12:55:27 UTC
Last seen:	2020-08-19 13:45:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	6144:RZQPh5lVs2XGJWaEH+3umqIU/qbk+tIxcK49JHYLYaFonhdfBCSqJTp2OUI1o0Tn:yxeHBtbh6HQaVinjBfwUKo0FOsN
Threatray	10'627 similar samples on MalwareBazaar
TLSH	9DB4F16760A52338C47CB9FA900104A346F7DC675719F6A641F836BA24FE563CE2932F
Reporter	abuse_ch
Tags:	AgentTesla ESP exe geo

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.a3p.mx
Sending IP: 66.113.180.183
From: BANCO BANAMEX <oscar.rosas@citibanamex.com>
Subject: RE: Aprobación de pago BANCO BANAMEX
Attachment: Copia de pago.pdf.gz (contains "Copia de pago.pdf.exe")

AgentTesla SMTP exfil server:
mail.trademaxperu.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/48524/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.405.27281.8.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/438026

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/992224c3cf97b0d58a9a0c5af443de835abecf518c8c9da0c7724f8929922f8f/

Threat name:

ByteCode-MSIL.Ransomware.TeslaCrypt

Status:

Malicious

First seen:

2020-08-19 12:57:04 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=tercjq6ps6ynlcu2brnpiq66qnnl5t2rrsgj3ighojhyskmsf6hq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

4131d43f1597af2d35f0f44040aca3cb09b14f934d0ea2cb04ca4a1b9f3991cb

AgentTesla

56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497

AgentTesla

66332e53989ee89d3c963cecd82424b45e332cadb2d9e13ba13f9f49d22b25ee

AgentTesla

687bbb360426bced3a9f69df3a4ae321c30c2e6e8cc40bde6b6b7519a6aaab34

AgentTesla

779250862192983603f41542782abb140ff3a0be669c5fb3bf80ea6932b4fc50

AgentTesla

88ca3229bbbcdfa0efd9ba8533253fc7cb11206b266d0bcdde54e2c10ac87e35

AgentTesla

923400c38b42c55fd484b8dfec8058a5952de23cbe053dea7bf041aa727c1b25

AgentTesla

d3027dd8d1fd1dc823baace52ec28189ed1486065438d86c640199f4d98d3f79

AgentTesla

d589bde71aff96cea185e9175ca0797d0799a0f0d64de123be6e2c1bc9c73b68

AgentTesla

+ 10'617 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200819-lpay6ym5ga/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/992224c3cf97b0d58a9a0c5af443de835abecf518c8c9da0c7724f8929922f8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar