MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e
SHA3-384 hash: fef865a19a9142edfc554d0b15f3638732f4188bcf2bc88794f293bcf8f8e7aa0c3c80306bee1378b1710798f3d3afa8
SHA1 hash: faf9f0123dbc7631afc51894d3286fe49605973b
MD5 hash: 61c0e413b5005c4ab5201b650460887d
humanhash: sodium-beryllium-blossom-lemon
File name:po.rar
Download: download sample
Signature AgentTesla
Create hunting rule
File size:860'672 bytes
First seen:2020-08-31 06:39:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:qrCPTadpsIBMeUwpMg87CeDtcmqSAnj2ES03XSbEfPTmSVgIJW:Ta7sUM9wigTXHxk0nSK6S3J
Threatray 9'390 similar samples on MalwareBazaar
TLSH DC05D029031D9B2FD91871BD2480409CD1F1AB81EA39F1C8EE6731A455D639DFBAE3C6
Reporter abuse_ch
Tags:AgentTesla rar


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: virtualhost.com.tw
Sending IP: 175.183.3.134
From: Jason Chen-JIEZHOU ENT. <jason@jiezhou.com.tw>
Reply-To: jr210131mr@gmail.com
Subject: NEW ORDER
Attachment: po.rar

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/53288/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454949
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279850 Sample: po.rar Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 43 Found malware configuration 2->43 45 Antivirus / Scanner detection for submitted sample 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 5 other signatures 2->49 6 KYHka.exe 3 2->6         started        9 po.exe 3 2->9         started        12 KYHka.exe 2 2->12         started        process3 file4 51 Antivirus detection for dropped file 6->51 53 Multi AV Scanner detection for dropped file 6->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->55 61 2 other signatures 6->61 14 KYHka.exe 4 6->14         started        29 C:\Users\user\AppData\Local\...\po.exe.log, ASCII 9->29 dropped 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->57 59 Injects a PE file into a foreign processes 9->59 18 po.exe 2 7 9->18         started        21 KYHka.exe 4 12->21         started        23 KYHka.exe 12->23         started        signatures5 process6 dnsIp7 31 smtp.sunfershintl.com 14->31 33 192.168.2.1 unknown unknown 14->33 35 smtp.sunfershintl.com 18->35 37 us2.smtp.mailhostbox.com 208.91.199.225, 49714, 49718, 49734 PUBLIC-DOMAIN-REGISTRYUS United States 18->37 25 C:\Users\user\AppData\Roaming\...\KYHka.exe, PE32 18->25 dropped 27 C:\Users\user\...\KYHka.exe:Zone.Identifier, ASCII 18->27 dropped 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->63 65 Tries to steal Mail credentials (via file access) 18->65 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 39 smtp.sunfershintl.com 21->39 41 208.91.199.223, 49724, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->41 69 Tries to harvest and steal ftp login credentials 21->69 71 Tries to harvest and steal browser information (history, passwords, etc) 21->71 73 Installs a global keyboard hook 21->73 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 00:24:03 UTC
AV detection:
22 of 26 (84.62%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=3vlrflkxdbd7azff37gut3uc4pjlikkzx3zdu5zvcloedlydb5xa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04803c612483d76474860d5942b69d5ee3a68987a258b76283d60b345c188c62
AgentTesla
04bc203b9c68d45a74189f7a7bc180fe4fe0304583fae10dee4b036a66e54437
AgentTesla
205a2f88f490388970c68b7512acfb90756655b4115e3bbe7b2b77efeab58bdf
AgentTesla
275559f7e9052564ecacedb07b93ea0e552fe3cf4d5b3bbf315e1494efd712e2
AgentTesla
4f4da7ed9a3d252b36eb7231d63b5e05eae88bec7edaa044fb5590e49d8db950
AgentTesla
527bf96dc4d090f961c250f7c6411f477acfafcea3a80e83f4f567a0d497f632
AgentTesla
640e087a78aa77a9bb49027500f1f29f9d31f5b64c13c99b690ea813d0737fd4
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
6fadee8038751819aef12bc1abc18e17efbc53a8cdfb977dc5cde08e5d0c1552
AgentTesla
f765fffe688f5d61d9dfcca89d0ec5c1b91236b00ee7240d6754f422894901d5
AgentTesla
+ 9'380 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200831-l7h6lq9xee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.97
Link:
https://yomi.yoroi.company/submissions/dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe dd5712ad571847f064a5dfcd49ee82e3d2b42959bef23a773512dc41af030f6e

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53288/

Comments