MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bacd9f9cb9c0f2ac12f70b61102563449a2ca1de047567c66c6733395ce9200a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	bacd9f9cb9c0f2ac12f70b61102563449a2ca1de047567c66c6733395ce9200a
SHA3-384 hash:	e99310091d05a1d43779d7393ba957564a0840841306d35c8a581e31ce560454a9483715a4a8102f2952f37ca6883000
SHA1 hash:	493fe2ff12452902cc6dd4397c51ccfb5b43f0c3
MD5 hash:	3caa9f85e3ddcf2d22d832744d16a223
humanhash:	georgia-nitrogen-bluebird-north
File name:	final reminder.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	580'608 bytes
First seen:	2020-07-16 08:07:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:Mp2H2k4zUB2DFenYqv6JY9BYyjDaF9+NVjGJwLNz+fUPLI8:9TQ+Yqv6Jq/jDlGKN
Threatray	11'107 similar samples on MalwareBazaar
TLSH	41C49DD83550759EC81FCD768964DC30A6202D62F7FBD20363C36E9FB93C696CA152A2
Reporter	abuse_ch
Tags:	AgentTesla exe HostGator

abuse_ch

Malspam distributing AgentTesla:

HELO: gateway32.websitewelcome.com
Sending IP: 192.185.145.187
From: Barr.Klara-Marie Bartels <Solicitors@hgc.com>
Subject: HCG Esq: Outstanding JUN,17 (URGENT)
Attachment: final reminder.gz (contains "final reminder.exe")

AgentTesla SMTP exfil server:
mail.szeklicki.com:587

AgentTesla SMTP exfil email address:
woda@szeklicki.com

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/26503/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Enabling autorun with Startup directory

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/389443

Signature

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/bacd9f9cb9c0f2ac12f70b61102563449a2ca1de047567c66c6733395ce9200a/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-16 08:09:04 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=xlgz7hfzydzkyexxbnqrajldisnczio6ar2wprtmm4ztsxhjeafa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

24c4b4da9b6d215fc8a3fd32f9ce8873b37facf1b85b36b8333a441cfa469412

AgentTesla

334fcafceb7ca23de3e995d89957290ca49594c51b01929309213be32072d90c

AgentTesla

3734824d00294eebe71c8752193e73abd3a07e3a51458f18c2470e44098e26b8

AgentTesla

5f015a041524e050c10d8da9ccc0e888994589cf7e586e3e51467836324145ba

AgentTesla

72aedefba6c5dc3e13064e87ae4389a18d0293b58214a157ef4c87a8f1538b33

AgentTesla

751dffc7391890afbcb40a55e29bd319d8b4a9e2e0438c5f5939ac09ab6ae297

AgentTesla

c3fd98f22e44b06271c6a46b217d59ba69b4bb181400d3fc1efe5cf9ca540a19

AgentTesla

cae8cc4a40faf9c3474f86baf427e7eb1c63c4d75afec8a99da5f616752ffbdd

AgentTesla

e8917cab54dca8c56976f8fa973521d58d0fc5abc196906a2aaee1e31c8b007c

AgentTesla

+ 11'097 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200716-mnye6d3wfa/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar