MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0176edb193b6a132f2f996fd6f61f04d4b14c2064aabb7ea9995fde15d9398d4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	0176edb193b6a132f2f996fd6f61f04d4b14c2064aabb7ea9995fde15d9398d4
SHA3-384 hash:	6ac8dd6dd094a00fcc2bc79db930197923cf4e053ecdf595271164fe91821b6433f7d87a8f63e35a5b41cadf8cab1c37
SHA1 hash:	3594500087c54dd7730a8e85f7a3b2c33dcfae70
MD5 hash:	2a29dc4d08a171d0b1029325b8d95859
humanhash:	nitrogen-stairway-coffee-montana
File name:	Ref No.05082020.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	912'384 bytes
First seen:	2020-08-05 12:03:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	6f6a6c4d7e3c496aeb050e49f17c295e (6 x MassLogger, 5 x Loki, 4 x AgentTesla)
ssdeep	12288:gcE9+ysRKpnYn0uCYQvSXxJ9P9cz6ku52zNC61/azObqtk6GkQfIn6ELurdZ4:g3+RcOn0TC3moKhcybq+6HhLurdZ4
Threatray	11'763 similar samples on MalwareBazaar
TLSH	67159ED3F28044FFD07219789C4B42A3A926FD116928A8462BE43F4C4F7529179FE2B7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: uzlinshpl01.uzcloud.uz
Sending IP: 185.74.4.8
From: Metzerplas-Ecuador <metzerplas-ecuador@metzerplas.com.ec>
Subject: Re: DEVOLUCIÓN DE PAGO TT (Ref No.05082020)
Attachment: Ref No.05082020.gz (contains "Ref No.05082020.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/39528/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/411124

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0176edb193b6a132f2f996fd6f61f04d4b14c2064aabb7ea9995fde15d9398d4/

Threat name:

Win32.Infostealer.Fareit

Status:

Malicious

First seen:

2020-08-05 12:05:17 UTC

AV detection:

24 of 27 (88.89%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=af3o3mmtw2qtf4xzs36w6ypqjvfrjqqgjkv3p2uzsx66cxmttdka._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

5be0aff5e9bf958f99789e62dd5bdf3b63cfe0e57fcbd1c7144d9a5e71f530f7

AgentTesla

66389b1f3694d4b7074b6204b99a48425f4ba35c3bab1a40182da6cf633a8f8c

AgentTesla

84321d91850ce025e214ab49400d8c1fade931a55483a87582f4f266e3ec196b

AgentTesla

8ef3683f410bc355437039e00b40520b5485ca257739c6e2ca808982b55b78b2

AgentTesla

921535a6ad60e212e6628f7ae40b356db57c7be4a70c4616d032226fca211523

AgentTesla

99b14cfb554065990c24c0d35ec7a4ef07bfee5e4183deab7774ab44cb3e20b2

AgentTesla

ada69719a8c7620548af5136d2529435cfc4a676163c64e85b9a96644762a453

AgentTesla

b8789e245fdcc8f15b3e86a516660004980a8febea95077b7606e5bfc4a7bd31

AgentTesla

d403c99aefd064f6f58be588861937c195d14ff1039ce0a4cce285cdfb47eab9

AgentTesla

+ 11'753 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200805-32et6mgm3e/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0176edb193b6a132f2f996fd6f61f04d4b14c2064aabb7ea9995fde15d9398d4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar