MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e593655b5dafbbb4d5a991689b883d1304c8b653a714ec724d31c08ed37f13d5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	e593655b5dafbbb4d5a991689b883d1304c8b653a714ec724d31c08ed37f13d5
SHA3-384 hash:	ac7e51c27c56a0890dfee380260bc61e5ee63445b9bca2277f150ac4a2daf2fa680f1bbec7dfd89e0b64984aeeeff938
SHA1 hash:	6638ff15e305ba040a2b8be11da8ad636c016989
MD5 hash:	52e11728259ce9ed9db193fcbb65cbc9
humanhash:	quebec-red-alpha-hamper
File name:	BOQ Quotaion Request Data Sheet Requirement No 0020022020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	609'280 bytes
First seen:	2020-08-16 13:55:48 UTC
Last seen:	2020-08-16 15:07:27 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:8XYbWvxUOTQnxpwgHSu704QKJVBrVZlXYSKsItinBCaYfeC8XyECu9+qa:8oBOspw6Su7VQGZlzI0B9YD81YB
Threatray	10'624 similar samples on MalwareBazaar
TLSH	78D41223F2E4AB59C5B86F7540B0275016F2A1C5EE62F71CAD4814CDB6A73CAC241FE6
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: vm86.entorno.es
Sending IP: 195.162.18.227
From: Surya Narayana <surya.narayana@faskkuwait.com>
Subject: RE: SUPPLY TENDER NO 4589070: RFQ 002022020 FOR Fask Kuwait Gen. Trad & Contracting Co.
Attachment: FASK Kuwait Co Supply Tender RFQ 002022020.r00 (contains "BOQ Quotaion Request Data Sheet Requirement No 0020022020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/46467/

Detection(s):

SecuriteInfo.com.Generic.mg.52e11728259ce9ed.17270.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/432259

Signature

.NET source code contains potential unpacker

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e593655b5dafbbb4d5a991689b883d1304c8b653a714ec724d31c08ed37f13d5/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-16 10:43:45 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4wjwkw25v653jvnjsfujxcb5cmcmrnstu4koy4snghai5u37cpkq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1f5f7921e3be739b51bead01306a9cc5dc7fec1dbc01a6784497de89afb6742c

AgentTesla

69141d8c99ebc4e3298c2e7203d061fe46d3bd513e3f93498a9fe2753cd82b8a

AgentTesla

6b3c0907618cdc1bdcb07dd987ee91dbcc691b2181d947e81d8d2756d7cea195

AgentTesla

77bb6489c1fd6c87f2ba80955211d0eef9be425d4e6076bd7280c6f87f9f3300

AgentTesla

7811b5864571348651746538905398e08bc9a5a11d6cb27ff6dd7a970be77741

AgentTesla

babb19e7cb06c97942ebdda46ddfe8435b8281ab8459080e0282485e02d587d4

AgentTesla

ed847b13d7e0e4544eba48cd80e78a0dc002a8c46b3acb871113ad5be5f44916

AgentTesla

f16ce9d494986b9f5a386de9b3a9a691c7939db12d030daf87cbb4c5f299f315

AgentTesla

f6fb0f9050f39e6c6b3441d6a71d0e975552093fcf77f1d45ab06ef9b1fd7691

AgentTesla

+ 10'614 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200816-p4ksbyyq4s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e593655b5dafbbb4d5a991689b883d1304c8b653a714ec724d31c08ed37f13d5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar