MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d9548af699ea47a6fdfe15232a9d1d2d30f082107533d21b18b1b0342a4cfb94. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d9548af699ea47a6fdfe15232a9d1d2d30f082107533d21b18b1b0342a4cfb94
SHA3-384 hash: 83f9cf202020c4d6fdf49328a111317415bd3540132f49d79ba4048bc3e12b13d30b30e03e27731f2bd371d0a7ea3e50
SHA1 hash: 616ffa19ad3042b603d20bed8f69926eba44b641
MD5 hash: 0ce0123120089c2a4fbba33501b53daa
humanhash: india-potato-texas-ceiling
File name:PAYMENT CONFIRMATION (2).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:666'112 bytes
First seen:2020-08-04 10:43:49 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:AHAgbCa8sGQT5WZUwT/s0LtcdFLio5F4t4icEf6ZsN/9RAg4x9GKH9Ij8iGAr9WI:AHX8kT6Ns0LtcdIo34N/9RADUpYiG
Threatray 10'989 similar samples on MalwareBazaar
TLSH CAE428392A82A505D97D093188B45AD037B1BE473B12CB1F79C6374C6F236DB3B4726A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.domain.com
Sending IP: 194.187.249.92
From: Sharjah <hjw@shengjiu.com>
Subject: RE: Reply: order confirmation
Attachment: PAYMENT CONFIRMATION z.zip (contains "PAYMENT CONFIRMATION (2).exe")

AgentTesla SMTP exfil server:
webmail.chennairealty.biz:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/38494/
Detection(s):
Win.Malware.AgentTesla-7660762-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Running batch commands
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj
Score:
51 / 100
Link:
https://www.joesandbox.com/analysis/409278
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Initial sample is a PE file and has a suspicious name
Sigma detected: Add file from suspicious location to autostart registry
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256930 Sample: PAYMENT CONFIRMATION (2).exe Startdate: 04/08/2020 Architecture: WINDOWS Score: 51 27 Yara detected AgentTesla 2->27 29 Sigma detected: Add file from suspicious location to autostart registry 2->29 31 .NET source code contains very large array initializations 2->31 33 Initial sample is a PE file and has a suspicious name 2->33 7 PAYMENT CONFIRMATION (2).exe 7 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\uche.exe, PE32 7->23 dropped 25 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->25 dropped 14 cmd.exe 1 7->14         started        16 uche.exe 2 7->16         started        process5 process6 18 reg.exe 1 1 14->18         started        21 conhost.exe 14->21         started        signatures7 35 Creates an autostart registry key pointing to binary in C:\Windows 18->35
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/d9548af699ea47a6fdfe15232a9d1d2d30f082107533d21b18b1b0342a4cfb94/
Threat name:
ByteCode-MSIL.Backdoor.Bladabhindi
Create hunting rule
Status:
Malicious
First seen:
2020-08-04 05:07:00 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=3fkiv5uz5jd2n7p6cursvhi5fuypbaqqouz5egyywgydiksm7oka._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c92c000cf6c2379961f35355527b1886d053245d90a584d8d7191bcb6ebccb6
AgentTesla
2b43a5db31de41485df72f364b2b9d137783c6097954a2a386906b58200a620d
AgentTesla
89b4121aae370dd8b644fc0e426e24d17087b25e1646aaf02e56b147627efd16
AgentTesla
91433fed32b520cfc98adb3cd6bae0a973117440474e47eff440bddb37262287
AgentTesla
95d334eb3cabab89dede94fa1fdfb66560e7ca453ac25be1729a5c0d2e783934
AgentTesla
9a3f18b05ce5e0ad884dc95af226f584d483a91dd15cb895a0cce8b91fb2b314
AgentTesla
bffc9c0c74952c439ca980be37a1f1e21c182b13c992f1a345a541413bfea91a
AgentTesla
dc7dcd0b09fa13bd6af193cac9a2b68892f0b51670b045a824806852f4205689
AgentTesla
e5edfd475d221c16d7746d48088b91fc05cfbb87dced300ef16151deeb6e0ac5
AgentTesla
ffb914ef6c0c0b2077f019be5f0fc486ff611af6ba5922bb4f9a44e57565b77e
AgentTesla
+ 10'979 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/200804-yhn4g7xqxs/
Behaviour
AgentTesla Payload
Agenttesla family
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d9548af699ea47a6fdfe15232a9d1d2d30f082107533d21b18b1b0342a4cfb94

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6d53199283377282f86b2907fb19de387ff6c5f84e01f723ed120e2447d8af03

AgentTesla

Executable exe d9548af699ea47a6fdfe15232a9d1d2d30f082107533d21b18b1b0342a4cfb94

(this sample)

  
Dropped by
MD5 797bbe29542d3eede681ca3ff199e84b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/38494/
  
Dropped by
SHA256 6d53199283377282f86b2907fb19de387ff6c5f84e01f723ed120e2447d8af03

Comments