MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b250144e3bf196501c5064576d34ff66398323d7862e957f359a263d7a0c3636. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: b250144e3bf196501c5064576d34ff66398323d7862e957f359a263d7a0c3636
SHA3-384 hash: 5ecb9c12e050a20ed1b1343d0f04706e0a80a61c787fb30948f786e0511197f32b474181f5ba5b667d800b826aa5793d
SHA1 hash: 931dd659e1b25157cb04eddd79fe7581511842b5
MD5 hash: 930091c98bb3b061c28b243dff029dee
humanhash: purple-salami-aspen-seven
File name:Invoice.pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:590'336 bytes
First seen:2020-08-31 09:18:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:5FJnrOgS1NE31qAejhR4Qi2D4hSuaOPqB0EYAb2Sr03U/eODiDC60hp7o6T+oNZr:/3SYJ2oaOA/P0E
Threatray 9'575 similar samples on MalwareBazaar
TLSH 54C42331214CCBAAD7F80DF2946D38BCC7B45C4B993DE59C68D872E262B23858356F46
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gyp.gr
Sending IP: 46.227.62.27
From: DH CHONG <info@dorringolab.com>
Subject: Invoice Re-Confirmation
Attachment: Invoice.pdf.7z (contains "Invoice.pdf.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53337/
Detection(s):
SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Stealing user critical data
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455092
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279921 Sample: Invoice.pdf.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Sigma detected: Scheduled temp file as task from temp location 2->68 70 Yara detected AgentTesla 2->70 72 7 other signatures 2->72 7 Invoice.pdf.exe 4 2->7         started        11 YYtJku.exe 3 2->11         started        13 YYtJku.exe 2->13         started        process3 file4 44 C:\Users\user\AppData\Local\...\tmp72EB.tmp, XML 7->44 dropped 46 C:\Users\user\AppData\...\jBFkxcVwbky.exe, PE32 7->46 dropped 74 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->76 78 Injects a PE file into a foreign processes 7->78 15 Invoice.pdf.exe 2 5 7->15         started        20 schtasks.exe 1 7->20         started        22 Invoice.pdf.exe 7->22         started        24 YYtJku.exe 2 11->24         started        26 schtasks.exe 1 11->26         started        28 YYtJku.exe 11->28         started        30 YYtJku.exe 13->30         started        32 schtasks.exe 13->32         started        signatures5 process6 dnsIp7 48 us2.smtp.mailhostbox.com 208.91.198.143, 49713, 49723, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->48 50 192.168.2.1 unknown unknown 15->50 40 C:\Users\user\AppData\Roaming\...\YYtJku.exe, PE32 15->40 dropped 42 C:\Users\user\...\YYtJku.exe:Zone.Identifier, ASCII 15->42 dropped 54 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->54 56 Moves itself to temp directory 15->56 58 Tries to steal Mail credentials (via file access) 15->58 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->60 34 conhost.exe 20->34         started        36 conhost.exe 26->36         started        52 208.91.199.223, 49725, 587 PUBLIC-DOMAIN-REGISTRYUS United States 30->52 62 Tries to harvest and steal ftp login credentials 30->62 64 Tries to harvest and steal browser information (history, passwords, etc) 30->64 38 conhost.exe 32->38         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/b250144e3bf196501c5064576d34ff66398323d7862e957f359a263d7a0c3636/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 03:02:57 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=wjibitr36glfahcqmrlw2nh7my4ygi6xqyxjk7zvtitd26qmgy3a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1df1597314ab01b00a84f5a025cb5112828d20fbc59dd3098fcb45fb88534661
AgentTesla
36c63120981769bc6a508edf5da75eae9504ab5a1ffa0fe8d9032ed9b8c124e2
AgentTesla
37677fa0c9255eb7368ce3d54a42e2b3e23eff33c6e2008406d9f32a71b565b8
AgentTesla
481042b6d1f2b599b5ab6ba70a592ca48ade285d6fcd9f2e28b5896dea5eff71
AgentTesla
48a5abcc8747f68f37186e3ea12f28670ff16653dc7f24315d0b54bac9211cce
AgentTesla
4ba3daeca73f3cde751424f8ec9972e274e0ffe915ce7c58eac0bf4d278920b1
AgentTesla
545305810b041d0a1ea357652c1b98aa714b039c16af8d1d7ecdd8e513a59d8b
AgentTesla
bf16393640303afe03a092d605a39a69d05158bce15d690128ef2b2103dfa5c7
AgentTesla
e8a210e30024fc86199e27d632e3e5d0768fde8c82cf609f37b8c44158d69a98
AgentTesla
f26cad39a95a51a11c07b703380ea422e89e1ed97160dfb30e201a384f82493c
AgentTesla
+ 9'565 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200831-lln1xalgk2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/b250144e3bf196501c5064576d34ff66398323d7862e957f359a263d7a0c3636

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 0770133d27e47a0cbbac1ce9e1147182a607711907158b2f97b6dda8cea997d7

AgentTesla

Executable exe b250144e3bf196501c5064576d34ff66398323d7862e957f359a263d7a0c3636

(this sample)

  
Dropped by
MD5 07eb6b28637c601a058c32f7dc9a8f7a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53337/
  
Dropped by
SHA256 0770133d27e47a0cbbac1ce9e1147182a607711907158b2f97b6dda8cea997d7

Comments