MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c
SHA3-384 hash:	09c56634ced5fdc480f93a12a000eab4d7b4cc2336a08cbb9b99a600d58fa95223ef1f3e26a98c35303f96bb09a75345
SHA1 hash:	6f5105278115426cc82331006d371c1bda2efff4
MD5 hash:	0fd1d4bfd6007d50256fa0f663a213de
humanhash:	arizona-fifteen-hot-jupiter
File name:	scanned_copy_10292.sc.zip ~90 KB.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	610'816 bytes
First seen:	2020-08-31 11:27:59 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	a5b3a1e09e383877ce51c417b22d34c3 (4 x AgentTesla)
ssdeep	12288:1MdBkg/MHjPKL8/JoTrKIwRhzhBJMKInpCv6kbZ:1M8AMmLo4rK/hzknpCikb
Threatray	10'977 similar samples on MalwareBazaar
TLSH	7FD423B5D0CB93F5CE1C08358B66A8B5631E24D62C36A60BFDC2FC4175B07D79321AA9
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: paymontly.servers.prgn.misp.co.uk
Sending IP: 185.20.50.76
From: Hana Janku <hana.janku@italbrescia.com>
Subject: Our Reference {090688}
Attachment: scanned_copy_10292.sc.zip ~90 KB.gz (contains "scanned_copy_10292.sc.zip ~90 KB.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/53448/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Sending a UDP request

Reading critical registry keys

Launching the process to change network settings

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/455356

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c/

Threat name:

Win32.Trojan.Zusy

Status:

Malicious

First seen:

2020-08-31 03:24:47 UTC

AV detection:

15 of 48 (31.25%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=3iudi45c7g6vxmtnxyudwtidp4ezfkgyp66wcfvxmuczla4um5oa._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

7927d24010f7ec25ea4026291036fbab975b5ff66398658e15c59165bb71e953

AgentTesla

9eb1f39ae32ed2c3289f148c0182ef2f8916fe7283400fcffd262798c08ded91

AgentTesla

a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7

AgentTesla

c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d

AgentTesla

c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f

AgentTesla

c905064bb651ad48f6a67415f4b982254e6f816ff03b1f19d3da32da19a8d788

AgentTesla

d223c5d9e8c4529cf905bb3c777f6850b21babd5ef85cd270db5a9e760ba4e0f

AgentTesla

efd857b9c713b00e8359f0c58fdb42124b2b3fccbfd5de1ef95156cdee038170

AgentTesla

faa14b162487c010a973901cb7a91e48c512b0193fd449be475f94c32b0ff212

AgentTesla

+ 10'967 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/200831-5ya3q72tgx/

Behaviour

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/