MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b0813d378a8beb9c5ffa76eff2a030482a0b1b8a011b455db9186de4508b3ece. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	b0813d378a8beb9c5ffa76eff2a030482a0b1b8a011b455db9186de4508b3ece
SHA3-384 hash:	e7da6a80b1aa88ab2f9e5c3c5c3c4d2c24f9db2a1038492750f939947a5a6e29349907152751f6eeabd5b0f73055ee69
SHA1 hash:	1aea60fc2b878904280d01e7d9e4ac20cc67560b
MD5 hash:	d51aa4227cefe1c1f5fac57712d9ff5a
humanhash:	fourteen-black-potato-alaska
File name:	Ticari Hesap Özetiniz.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	570'368 bytes
First seen:	2020-08-27 08:42:13 UTC
Last seen:	2020-08-27 10:09:52 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:gUk3Fxdi0KSMufFsJTMROT3JLBqoM/UH:s31KSRIT9T3FF9
Threatray	54 similar samples on MalwareBazaar
TLSH	76C4126007ADCB15EAFF0BFAC46E314043F1B9952975E38A4961D2DB28F77904E427A3
Reporter	abuse_ch
Tags:	AgentTesla exe geo TUR

abuse_ch

Malspam distributing AgentTesla:

HELO: ns3022570.ip-51-254-199.eu
Sending IP: 51.254.199.53
From: Akbank Ticari Bankacılık <ticaribankacilik@bilgi.akbank.com>
Subject: AĞUSTOS 2020 Ticari Hesap Özetiniz (Ref:1353878463)
Attachment: Ticari Hesap Özetiniz.rar (contains "Ticari Hesap Özetiniz.exe")

AgentTesla SMTP exfil server:
mail.pkstyles.pk:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/51692/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.9265.6770.22903.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Launching the process to change network settings

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/452441

Signature

Binary contains a suspicious time stamp

Found malware configuration

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/b0813d378a8beb9c5ffa76eff2a030482a0b1b8a011b455db9186de4508b3ece/

Threat name:

ByteCode-MSIL.Trojan.FormBook

Status:

Malicious

First seen:

2020-08-27 06:56:41 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wcat2n4krpvzyx72o3x7fibqjavawg4kaenukxnzdbw6iuelh3ha._file

Verdict:

unknown

AgentTesla

15ea783eaed5ea26907b2c782e5e201a56f2fe0a76005bb42a0b1ae72fe05c9f

AgentTesla

2ece9ea188efe1c9818ed0dd874ddcc1f88466baefb8bf369917be577ca006d6

AgentTesla

384e9e2987d36d51e9a29f4e780a1f87e852f6e57a28d62930144e7a2ac9c852

AgentTesla

57227e050e647b24bd8029baecc2cf918c67bd3396af98dae1b6a87d37edc12c

AgentTesla

708e8ea4397b44ad8e1ea8ef53b0697dec1e09b6c454c7bf4654120e04a903f8

AgentTesla

7b23ee97c4ef7c1756202b63bf98f9b4e3235cd715cfa639368f7fa30f14ac26

AgentTesla

8bd67af43b81d9303bc114e81c598c9ae1cb4d55315c750ae3eea3691513c94f

AgentTesla

9b1328490717e1e3c97216a17bf36b67103a40dae3bbac6865487e51fea82b32

AgentTesla

b320085d9b4a8bbb0573f39896e3c812f24a11628ffcdf0895611bfa2b0a5354

AgentTesla

+ 44 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware persistence trojan family:agenttesla

Link:

https://tria.ge/reports/200827-rm1vkxt7p2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Farheyt

Score:

0.80

Link:

https://yomi.yoroi.company/submissions/b0813d378a8beb9c5ffa76eff2a030482a0b1b8a011b455db9186de4508b3ece

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar