MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8bff638ab741d8bd757836e38d34c8813a7b1b37cc051f176c322ec7e03b9e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e8bff638ab741d8bd757836e38d34c8813a7b1b37cc051f176c322ec7e03b9e6
SHA3-384 hash: 0b4fcc2dbeb859145a1e7940a1c5749ecdb3d36f369c3a47a591839c6790d9dbfff1404e7fd352bfb22183d663d2588c
SHA1 hash: fabecb4ba567bd9ef504ec1cedfbcd252b1d72cc
MD5 hash: 772570beebca539f17ff21c3ad453e5b
humanhash: spaghetti-fanta-oxygen-happy
File name:Quotation Request Frozen food Supply Tender 45890502020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:604'160 bytes
First seen:2020-08-17 06:09:10 UTC
Last seen:2020-08-17 07:00:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:n5E7fiN0FA9liTpwZIGlbCb+mv6OF5zenvsfqr95G3MV+qa:n5WrW9upERdzg5zeEA3+MQB
Threatray 10'628 similar samples on MalwareBazaar
TLSH D8D41233B194C504D0392736C959136823F49BC67822FF3E7D99276E99A93D28B06FC5
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: vm86.entorno.es
Sending IP: 195.162.18.227
From: Sky Sim <sky.sim@fishsingapore.com>
Subject: F.I.S.H GROUP PTE LTD : RFQ 180797-AFL/001 - Frozen Cuttlefish whole round (Non-soaked) + Hoso Bt shrimps, 2x20Ft CNF Antwerp, Belgium
Attachment: FISH GROUP PTE LTD RFQ 180797-AFL00120.r00 (contains "Quotation Request Frozen food Supply Tender 45890502020.exe")

AgentTesla SMTP exfil server:
mail.corroshield.co.id:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/46631/
Detection(s):
SecuriteInfo.com.Generic.mg.772570beebca539f.12113.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432530
Signature
.NET source code contains potential unpacker
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e8bff638ab741d8bd757836e38d34c8813a7b1b37cc051f176c322ec7e03b9e6/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 00:29:51 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5c77mofloqoyxv2xqnxdru2mraj2pmntptafd4lwymroy7qdxhta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c3a47dbc7043ac227c4776785a260344b90643ed1d6b46a21cb78463ff69c56
AgentTesla
3f7f872fea7066d980a443d82e9ec8c3c97fddd2f658b24919589bbdf4de1bcc
AgentTesla
68fc1b87f19de1765e5dab39ebabef62e2acf44a61942918016dad9513e8b910
AgentTesla
79b66f49f1e60dc5ab20d82847be8138091d1a14b1d29af0de21175323418cee
AgentTesla
7c1edf2a2fd0fc1499931f60cd7363812513b4f410ae32677a7a63c355568ecd
AgentTesla
920793d133d7ad17ee4d14870e23dfba742ecd19e45a8a0c3e1105605b71cc8e
AgentTesla
a57377248d090fc6d978b44203af0d963fafd8da10e725f0d2e2ead42a3f574f
AgentTesla
a678440e1f830f05b0fac3d40d08457d2358b00534042726fa375955ae02c282
AgentTesla
a6e562d91aecb4f9ee29779f6d23d4de1e58460e5d3e15182ff1c1ff0ce76610
AgentTesla
cbca1b2ee6c097f73a866a102f4f17a5966ede96d69b51d6702a0882181fa866
AgentTesla
+ 10'618 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200817-4a9q882n7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e8bff638ab741d8bd757836e38d34c8813a7b1b37cc051f176c322ec7e03b9e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 28a22f0c29452099b1d3ea7062c32f54c55d95db8455d7dd831cf82297cd0a61

AgentTesla

Executable exe e8bff638ab741d8bd757836e38d34c8813a7b1b37cc051f176c322ec7e03b9e6

(this sample)

  
Dropped by
MD5 7334c295f7ecb693931f98cf642eb2e0
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 28a22f0c29452099b1d3ea7062c32f54c55d95db8455d7dd831cf82297cd0a61
Cape
Cape
https://www.capesandbox.com/analysis/46631/

Comments