MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac
SHA3-384 hash: f9b7cc0e72ed7a1600716da9a01c4b120520af95c730a8310e2f2f1aad5ce1f9be3fa580680c2b878207dd30e14d18e2
SHA1 hash: 6317b11ea4347932bc47beedcba1e8bb8b3e3220
MD5 hash: 30619d87ec29a17cb5aae379b9a524ea
humanhash: arkansas-harry-video-fifteen
File name:ben12.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:964'608 bytes
First seen:2020-09-25 09:40:15 UTC
Last seen:2020-09-25 12:36:25 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 12288:7OUoKKvz0vcYzpMe8APJP6/VzQwO7rMZJi/ZdgD9Jr6hqOkDzuSf8hgyziogrjeq:78jwvVzpF9Q/VMwO7Ii/UDr6MvRf6ae
Threatray 10'700 similar samples on MalwareBazaar
TLSH 8925122B5ADEFC98D9BD0674B3B603D587618D013502E2AD8EEC64D899797C33D01BE4
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: maersk.com
Sending IP: 81.174.12.6
From: "A.P. Moller - Maersk" <noreply@maersk.com>
Subject: RE : RE : URGENT!!! 2 x 20ft - SHIPPING DOC BL,SI,INV#462345 // MAERSK KLEVEN V.949E // CLGQOE191781 //
Attachment: BL Draft - DOC20393718923212.xlsx

AgentTesla payload URL:
http://149.202.110.58/ben12.exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
109
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65759/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.dc.23981.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/474934
Signature
Found malware configuration
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 289913 Sample: ben12.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 36 Found malware configuration 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Sigma detected: RegAsm connects to smtp port 2->40 42 Yara detected AgentTesla 2->42 7 ben12.exe 1 2->7         started        process3 signatures4 44 Writes to foreign memory regions 7->44 46 Maps a DLL or memory area into another process 7->46 10 ben12.exe 7->10         started        13 RegAsm.exe 2 7->13         started        process5 dnsIp6 48 Writes to foreign memory regions 10->48 50 Maps a DLL or memory area into another process 10->50 16 RegAsm.exe 2 10->16         started        24 smtp.yandex.ru 77.88.21.158, 49721, 49729, 587 YANDEXRU Russian Federation 13->24 26 smtp.yandex.com 13->26 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->52 54 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->54 56 Tries to steal Mail credentials (via file access) 13->56 58 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 13->58 signatures7 process8 dnsIp9 20 smtp.yandex.ru 16->20 22 smtp.yandex.com 16->22 28 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->28 30 Tries to steal Mail credentials (via file access) 16->30 32 Tries to harvest and steal ftp login credentials 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac/
Threat name:
ByteCode-MSIL.Ransomware.WannaCry
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 09:42:06 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=aewotub2pioubl7u35dq4ueij7azhxj7jved4zkf6ejdm5ucrowa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
35912ff3b78d0699082450202cc16cec5c11447c39ec0e4db7738c188662f0c5
AgentTesla
3823b2ac7444188f31b0e9990ecb3120084180af9fe5e5a30b5af83b91290a34
AgentTesla
5fa8237700455a67c1db31c12aa20e6b5536af561ae732248326cd94990ac388
AgentTesla
6a43d3e802d7a52afa0ed359ad45f965c55beabfc143efd8facb89259b760e34
AgentTesla
7ca8232e7c1412239e7ae183a33a8546097b37a1ca2fd03d068472f6ad7021c6
AgentTesla
80fe0d30794f8831524ac6309ed0588b6a88b85a244ed266da4c9d7a92e3ee9f
AgentTesla
8be1266645d388fa35124c58831cbd83fdc9b6faac7ad44ddaf4b0f6b9d2fd09
AgentTesla
9e3a94f237c30841d45f04d73fb46e31b3fa5c5f45a6b49b5acd8aaf9f0b748d
AgentTesla
b5ed3dead9212794fe1c3d66ac26cb3aef679980fdf63100e517f876655b0575
AgentTesla
cd62c1ca555d8caedbf2f6974500577216b34549681682d8802af804f0510f46
AgentTesla
+ 10'690 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200925-3w9rkn6ehe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac
MD5 hash:
30619d87ec29a17cb5aae379b9a524ea
SHA1 hash:
6317b11ea4347932bc47beedcba1e8bb8b3e3220
Link:
https://www.unpac.me/results/31cd28d7-14b6-4bb4-aa6e-087537c0d2f5/
SH256 hash:
1813321ed1fafea40798a6ca3bf65aaa6886b3e3ccb7e8e568ef8bca77155338
MD5 hash:
17a9fcebc99fe4cb4ce332969d6512f0
SHA1 hash:
9b3f35b4dc735b36a3b66a5b23ed631222a7ef4b
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/31cd28d7-14b6-4bb4-aa6e-087537c0d2f5/
Parent samples :
e6f80aee15c24e4bef84e6fa4c1435a64f96e06227e896c11a492c9d6ce35c21
012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac
SH256 hash:
8b96df868d63bf3e620d6f1a273e12912a576b65d08bd3b679d1a163e8728753
MD5 hash:
be033521034b9874ab44fd9c017013fd
SHA1 hash:
ea2c23a0c3609ff57bdb6b44cc1695066da9ba8b
Link:
https://www.unpac.me/results/31cd28d7-14b6-4bb4-aa6e-087537c0d2f5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsx b8c1d84d4fd7b6bcf9972841e67d2c8c5190bfcd3da83a3ab32e95e47d53b028

AgentTesla

Executable exe 012ce9d03a7a1d40aff4df470e50884fc193dd3f4d483e6545f1123676828bac

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/611610/
  
Dropped by
MD5 2942990a4be270434903f8e1dad31b94
  
Dropped by
SHA256 b8c1d84d4fd7b6bcf9972841e67d2c8c5190bfcd3da83a3ab32e95e47d53b028
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/65759/

Comments