MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
SHA3-384 hash: cb880de8bcbd70ec84d935d9a0f1c5eaa85bf80b0a082ec7724006093298bf285fe4aeef0d2af14e4000666173a963b0
SHA1 hash: 2c539fe11516bfd535d17d819051e7c77ea7bf57
MD5 hash: c0f0ce598634516416035a65ce6f3e93
humanhash: maine-zulu-uniform-india
File name:Gironex 2 9503 Order XLSX.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'162'240 bytes
First seen:2020-10-06 05:49:55 UTC
Last seen:2020-10-06 13:17:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:cambk62p2GecX/ItTew1Twnl8zSPEkesPCEnfB:cao2pH/IZeYUaSjGE
Threatray 23 similar samples on MalwareBazaar
TLSH 7535D111564C0367F132D079A227D4786BB2CD456A08D2D52DEA9CBFFECFE98B4E0609
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: gironex.com
Sending IP: 172.93.165.152
From: Edwards <edwards.maya@gironex.com>
Subject: Enclosed Order No.179989
Attachment: Gironex 2 9503 Order XLSX.zip (contains "Gironex 2 9503 Order XLSX.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68414/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Creating a process from a recently created file
Moving of the original file
Stealing user critical data
Unauthorized injection to a recently created process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482310
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes security center settings (notifications, updates, antivirus, firewall)
Drops PE files with benign system names
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293595 Sample: Gironex 2 9503 Order XLSX.exe Startdate: 06/10/2020 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Found malware configuration 2->54 56 Antivirus detection for dropped file 2->56 58 14 other signatures 2->58 7 Gironex 2 9503 Order XLSX.exe 15 4 2->7         started        12 svchost.exe 2->12         started        14 svchost.exe 2->14         started        16 5 other processes 2->16 process3 dnsIp4 42 flood-protection.org 85.187.154.178, 49723, 587 A2HOSTINGUS United States 7->42 44 mail.flood-protection.org 7->44 46 cdn.discordapp.com 162.159.134.233, 443, 49724 CLOUDFLARENETUS United States 7->46 40 C:\Users\user\AppData\Local\...\svchost.exe, PE32 7->40 dropped 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 7->68 70 Moves itself to temp directory 7->70 72 Tries to steal Mail credentials (via file access) 7->72 78 2 other signatures 7->78 18 svchost.exe 3 7->18         started        74 Injects a PE file into a foreign processes 12->74 21 svchost.exe 12->21         started        76 Changes security center settings (notifications, updates, antivirus, firewall) 14->76 24 MpCmdRun.exe 14->24         started        48 127.0.0.1 unknown unknown 16->48 50 192.168.2.1 unknown unknown 16->50 26 svchost.exe 16->26         started        file5 signatures6 process7 file8 60 Antivirus detection for dropped file 18->60 62 Multi AV Scanner detection for dropped file 18->62 64 Machine Learning detection for dropped file 18->64 66 2 other signatures 18->66 28 svchost.exe 1 2 18->28         started        30 svchost.exe 18->30         started        32 svchost.exe 18->32         started        34 svchost.exe 18->34         started        38 C:\Users\user\AppData\Roaming\svchost.exe, PE32 21->38 dropped 36 conhost.exe 24->36         started        signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 00:59:47 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=alumzm3c65vowkbhh2emgu4cktx7zz7vvj2s4fzxhqo6dq2ohusa._file
Verdict:
unknown
Similar samples:
17347ea4da31247415f8d87423d8b0b03eac3c25c4bed8fac50723eaba2f6b04
AgentTesla
194b26a2d9469d17c5ab27bbd41257758c3a4f7e20efd5388f3643f24c364b94
AgentTesla
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
AgentTesla
510c68882ff2fed7d2045040f45c79980ebaa58c9c074d59390edc72c1bbca68
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
79a794aa53cfb22103d08a8cfa1bb158e2a23bbaa6f73abee590083ae45b560f
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
a50b13f838ab5c3a87196d1b8896ad7e1bd4272c948d79bf3d4636ca4f8baba1
AgentTesla
c8ef5faf8bef2942260f56a7bfca916280711c776ee19bf00954ebdee11804ea
AgentTesla
d9c78a21a8344b6cc4768d7fa1b9ff128437267f1b7d1d29fccca4a5751d7ed6
AgentTesla
+ 13 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/201006-yvdnzmwhhn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/ed8da037-97dd-4690-864e-e41807abaf51/
SH256 hash:
a00a5bfb23582d1ae3fc97f4f3a3c89d4d4e973b39594729c74a856b028952dc
MD5 hash:
998bada90d719e7a32c7eab8f047f4e9
SHA1 hash:
8e14235f3e4fb01b150a63f23c2db23e6851a69c
Link:
https://www.unpac.me/results/ed8da037-97dd-4690-864e-e41807abaf51/
SH256 hash:
fc35c62b175b3e9674643642f111cb7e95452d537e26483832fe25e25a4a64e0
MD5 hash:
baee64f4e4c058212983c6477a2fcb66
SHA1 hash:
a8ee0da9997694b7eade165dfcb02d1cb70b9df9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/ed8da037-97dd-4690-864e-e41807abaf51/
Parent samples :
441da56bd7e61ce353b6cf4be1510e44983465620fab6130c648bb99e15ab190
02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
SH256 hash:
0b42b13263981ea74dc0185788715d41d80a14b0044521869450a3a6cfc30ae0
MD5 hash:
456e318da7060cd052c50342e4debf2f
SHA1 hash:
b74d74efa03b087f4e7fc90e06166b93877bfa19
Link:
https://www.unpac.me/results/ed8da037-97dd-4690-864e-e41807abaf51/
SH256 hash:
02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24
MD5 hash:
c0f0ce598634516416035a65ce6f3e93
SHA1 hash:
2c539fe11516bfd535d17d819051e7c77ea7bf57
Link:
https://www.unpac.me/results/ed8da037-97dd-4690-864e-e41807abaf51/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 366109a84ceca34833d9bdbf6a987ad60d412f39fbb91b0a5d69adcb500de451

AgentTesla

Executable exe 02e8ccb362f76aeb28273e88c3538254effce7f5aa752e17373c1de1c34e3d24

(this sample)

  
Dropped by
MD5 b6636379c45d0fdc43f5a0e0f24c9263
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 366109a84ceca34833d9bdbf6a987ad60d412f39fbb91b0a5d69adcb500de451
Cape
Cape
https://www.capesandbox.com/analysis/68414/

Comments