MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37
SHA3-384 hash: d8e2bd0a96f76969b1b052b372991b1a0899d2ef23ba1c9494407fab7f7143faba9b2a16d852ce0180bed59215449b7f
SHA1 hash: 0893dda00aed4db2871870ba538d6ea7d252098c
MD5 hash: 9aeddbf569161fb4611075244a03a4aa
humanhash: princess-one-bravo-venus
File name:NEW PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:451'584 bytes
First seen:2020-08-06 05:44:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Zecst7dHIP7fQA2CrJ9bX6nb0YEbwIDgMtr7CsdN+K//5/UWBTI4TMKP0JRWbRqx:Ze1t7dHqztxnqLMFGzK35lKssSw
Threatray 10'757 similar samples on MalwareBazaar
TLSH F8A49ED49384EE75CAA48F3BA471B86902AE3F436D52E70B6C6C70DA19733917442E4F
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: [103.140.250.133]
Sending IP: 103.140.250.133
From: Lu Thai Textile Co Ltd <luthai@ltc.com.cn>
Reply-To: luthai@ltc.com.cn
Subject: NEW PO.
Attachment: NEW PO.rar (contains "NEW PO.exe")

AgentTesla SMTP exfil server:
mail.indiaflanges.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
69
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40066/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Launching a process
Creating a window
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/412126
Signature
Drops PE files to the startup folder
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 258302 Sample: NEW PO.exe Startdate: 06/08/2020 Architecture: WINDOWS Score: 80 72 Yara detected AgentTesla 2->72 74 Machine Learning detection for sample 2->74 76 Machine Learning detection for dropped file 2->76 78 Drops PE files to the startup folder 2->78 12 NEW PO.exe 4 2->12         started        17 newapp.exe 2 2->17         started        19 newapp.exe 1 2->19         started        process3 dnsIp4 70 192.168.2.1 unknown unknown 12->70 64 C:\Users\user\AppData\Roaming64otepad.exe, PE32 12->64 dropped 66 C:\Users\user\AppData\...\HJdyTuap.exe, PE32 12->66 dropped 68 C:\Users\user\...68otepad.exe:Zone.Identifier, ASCII 12->68 dropped 108 Writes to foreign memory regions 12->108 110 Maps a DLL or memory area into another process 12->110 112 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->112 21 NEW PO.exe 12->21         started        24 RegAsm.exe 2 4 12->24         started        26 conhost.exe 17->26         started        28 conhost.exe 19->28         started        file5 signatures6 process7 signatures8 86 Writes to foreign memory regions 21->86 88 Maps a DLL or memory area into another process 21->88 30 NEW PO.exe 21->30         started        33 RegAsm.exe 2 21->33         started        35 RegAsm.exe 21->35         started        90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->90 92 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->92 94 Hides that the sample has been downloaded from the Internet (zone.identifier) 24->94 process9 signatures10 114 Writes to foreign memory regions 30->114 116 Maps a DLL or memory area into another process 30->116 37 NEW PO.exe 30->37         started        40 RegAsm.exe 3 30->40         started        process11 signatures12 96 Writes to foreign memory regions 37->96 98 Maps a DLL or memory area into another process 37->98 42 NEW PO.exe 37->42         started        45 RegAsm.exe 37->45         started        100 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->100 process13 signatures14 102 Writes to foreign memory regions 42->102 104 Maps a DLL or memory area into another process 42->104 47 NEW PO.exe 42->47         started        50 RegAsm.exe 42->50         started        106 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->106 process15 signatures16 118 Writes to foreign memory regions 47->118 120 Maps a DLL or memory area into another process 47->120 52 NEW PO.exe 47->52         started        55 RegAsm.exe 47->55         started        122 Hides that the sample has been downloaded from the Internet (zone.identifier) 50->122 process17 file18 80 Writes to foreign memory regions 52->80 82 Maps a DLL or memory area into another process 52->82 58 RegAsm.exe 52->58         started        60 RegAsm.exe 52->60         started        62 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 55->62 dropped 84 Hides that the sample has been downloaded from the Internet (zone.identifier) 55->84 signatures19 process20
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 02:37:51 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t37h4mhkcxuyxwe32nagmli4eorx57tgv4poyatvu4jywbb4vy3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
024a7a5c317494884d0d691409884e2bf0e842167c9b5b1ea0d4486d480ba006
AgentTesla
16f661258c7572ebd08fa986cfe3e2f1b24196d366d048102900e60979f42ca4
AgentTesla
25dc175eba82b0e5f1438cfcf929a5ecfdaebe46453c97a08d20f1c762fcb92f
AgentTesla
39c515aecf42295136801c4a1a847d80bc8269ad5cf20c512af98a020cd7a699
AgentTesla
6e85d010198944cd284d9fdc636e1d690d6c77b2e1bfabbc41e1f8941ea72332
AgentTesla
6fa3a8b31b5aa450afc06a2a08149af42ef62ae7be55d93db25ec2c3e3edb93f
AgentTesla
781a56527b7273e5936047b5646c62d2ce6e3b4e24af696d75720caf764dfcb0
AgentTesla
af4614a203bf30b1a7d9cd1f3eb86ea531dd2f15849a69fd8df3f0502f58e4e1
AgentTesla
f4540704d5523550479941871d2af08967a64523fe1110f90a37bbd85e935f49
AgentTesla
f8e79509055e8e73a467ac3fc37c303ce1968417c0d4cc76df99af32cf692f02
AgentTesla
+ 10'747 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200806-f7cy138lja/
Behaviour
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar af718e9960eedaf8c50838f9ee72ae9993f912e0d929585bf9c312f888c009a8

AgentTesla

Executable exe 9efe7e30ea15e98bd89bd340662d1c23a37efe66af1eec0275a7138b043cae37

(this sample)

  
Dropped by
MD5 3be5c716284c354b5240b37136422860
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40066/
  
Dropped by
SHA256 af718e9960eedaf8c50838f9ee72ae9993f912e0d929585bf9c312f888c009a8

Comments