MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab7b7b589c80bc6ceb6f90ef56b1b9041f03cf2b67792542dd5e4f738db99c44. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	ab7b7b589c80bc6ceb6f90ef56b1b9041f03cf2b67792542dd5e4f738db99c44
SHA3-384 hash:	e99bb58ca864681eb173fea42e88769a95cedfbc6f13b349a9ed77f2c09fd52b7a215512588d9951cffdf37a57676c11
SHA1 hash:	a6f1a2f08cd10d995e2fba473e6870d6167b6f20
MD5 hash:	b5d2a3efba7ffd9833e3bc7a6eba8fd8
humanhash:	enemy-october-maine-georgia
File name:	Orden de compra urgente.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	574'976 bytes
First seen:	2020-07-16 10:42:03 UTC
Last seen:	2020-07-16 12:08:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:kX2GXTh2k4zUkfH0sCD/cAwRao9r96gtR26oX0TPzulUIvFf:kX2ThWcLRao9rTgBXSP
Threatray	11'116 similar samples on MalwareBazaar
TLSH	BBC48CD83510719EC85F8D7649A4DC30AA206C62F7FBE203A3C36E9F793D596DE051A2
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: outmx-267.london.gridhost.co.uk
Sending IP: 31.170.120.152
From: Plásticos Ferrando, SL <tuberias@ferrando.net>
Reply-To: PLASTICOS FERRANDO <Ventas@imagencolor.cl>
Subject: Re: Orden de compra
Attachment: Orden de compra urgente.r00 (contains "Orden de compra urgente.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26702/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.1038.27486.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389579

Signature

Contains functionality to register a low level keyboard hook

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/ab7b7b589c80bc6ceb6f90ef56b1b9041f03cf2b67792542dd5e4f738db99c44/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-16 10:43:12 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vn5xwwe4qc6gz23psdxvnmnzaqpqhtzlm54skqw5lzhxhdnztrca._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1237b8ef1ef28e7481b47113c644429a68c87858cc5ee8a020607f75696863d1

AgentTesla

13444c52c094b2067a66767847b8a2151da087a99c9391a2547a53a3e4de7056

AgentTesla

1585d935d47ff234d4b9a71e4f30d0731677d06f430894496c58153011bb90b7

AgentTesla

2331837cf27d223a23b000cdf14f026c383a628ae69d516726b19fcb9424359a

AgentTesla

305586aa88966e490ba86bb7cd7a2e1cbe9f195c84b70aaf5ef0c9e714961723

AgentTesla

34408552d34edc061e6bce5aa476bdfa09f5c8a7f1936d902dea430c0fa14d62

AgentTesla

3734824d00294eebe71c8752193e73abd3a07e3a51458f18c2470e44098e26b8

AgentTesla

3a646d051e183a55d297b684e6f74bc95ab57846c8ffde301338a5b60f8ed7c7

AgentTesla

e8917cab54dca8c56976f8fa973521d58d0fc5abc196906a2aaee1e31c8b007c

AgentTesla

+ 11'106 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200716-2bfzlmk7bj/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar