MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781
SHA3-384 hash: 0ee7787df6b5d782fe81eee9a9edfea411deeddac1916e1116e03e393ceb7eae6cb917221fedc08a401049d54986370c
SHA1 hash: 34a9e953a5f45a3c187af4f370feb395b6c2a45f
MD5 hash: 05eaf101a0b976d96093eac5002e020b
humanhash: zulu-twelve-bulldog-equal
File name:Payment Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:424'448 bytes
First seen:2020-08-05 12:57:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash dca25223c79d933c0a8efd09e5ca88bb (3 x AgentTesla)
ssdeep 12288:tta3LlqSuoRKjiVzv9BVjjZXcnRDxT/+kjOQTn:ttsLleervVjO/T/+kjOa
Threatray 10'694 similar samples on MalwareBazaar
TLSH EA94E06171D0D83EE886107478A9DFB64498B030352A9D3373D09B5E19F72E18E6AF7B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: HOST8DNSRAIN.home
Sending IP: 103.235.105.76
From: newstone@newstone.ru
Reply-To: newstone@newstone.ru
Subject: Re: Remittance of Advance payment
Attachment: Payment Copy.gz (contains "Payment Copy.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/39609/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Modifying an executable file
Launching a process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/411267
Signature
Allocates memory in foreign processes
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 257982 Sample: Payment Copy.exe Startdate: 05/08/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Yara detected AgentTesla 2->35 37 Sigma detected: MSBuild connects to smtp port 2->37 39 5 other signatures 2->39 7 Payment Copy.exe 3 2->7         started        process3 file4 25 C:\Users\user\AppData\Local\...\update.exe, PE32 7->25 dropped 27 C:\...\8f040125b52a4ea4b745fbdf8c581d4f.xml, XML 7->27 dropped 10 Payment Copy.exe 1 7->10         started        13 MSBuild.exe 7->13         started        15 cmd.exe 1 7->15         started        process5 signatures6 49 Writes to foreign memory regions 10->49 51 Allocates memory in foreign processes 10->51 53 Injects a PE file into a foreign processes 10->53 17 MSBuild.exe 4 10->17         started        55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->57 21 conhost.exe 15->21         started        23 schtasks.exe 1 15->23         started        process7 dnsIp8 29 chenklins.com 89.45.67.200, 49733, 49741, 587 BELCLOUDBG Netherlands 17->29 31 mail.chenklins.com 17->31 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 17->41 43 Tries to steal Mail credentials (via file access) 17->43 45 Tries to harvest and steal ftp login credentials 17->45 47 2 other signatures 17->47 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-05 12:59:05 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5rvpykn6v62aspykzkp2adq4gcl5vsklv3siahxlyucd3zcvm6aq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2449c1f1a898c241fd99ef81dd67ea37db3944708a37a3229f19bf572d7136d8
AgentTesla
2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55
AgentTesla
3c267f259097c5786ddcb5c74ec6410267d465976259d841b988271b7474906c
AgentTesla
3f17b1407dd6b3febc9c19770d1252a7028971382c85a2b9320e416801b2f904
AgentTesla
5772f99f2fb2648a9252d6742881ed81b380ce0c6986270a600ab2b975f5c4de
AgentTesla
86ed0ebbd24ad4c94834ea45d9af009a08738c1341b95ca0d35a59ffdc726de7
AgentTesla
90aa9f9ad74752d2965816d8d68399d2b1c4fdce28c2ca57753196b3a2d60b34
AgentTesla
9dda846870b687794890a95e4532f7886dcf61d6bfcd4cbc2ddeb306abc22311
AgentTesla
a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7
AgentTesla
c2be2f9a3561ac1145ac0711574c30064e14ec9d62e916b700f75cc33b77d154
AgentTesla
+ 10'684 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200805-x7qgcwbtq2/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 7a023f05b4a9cfef609e99018bb6b083570a5e59c630357aa0a05d18cc6d4d25

AgentTesla

Executable exe ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781

(this sample)

  
Dropped by
MD5 12feef1c037e691e348358ed10c082e2
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/39609/
  
Dropped by
SHA256 7a023f05b4a9cfef609e99018bb6b083570a5e59c630357aa0a05d18cc6d4d25

Comments