MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04a15570edeff9cc669143962167d7672296d355a4cf02bedd1605145616907d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04a15570edeff9cc669143962167d7672296d355a4cf02bedd1605145616907d
SHA3-384 hash: 6a29e13dca4270d25ddfdb8d006d963023616bcd0562848195e6fd40843392a145cdfb79fa67bd50d4814d1f931c1f65
SHA1 hash: b6f0eb8cd3ab504fc988d47f5d7280cf345b3e31
MD5 hash: 8eebdcad6657b7918789f369413c944a
humanhash: quiet-steak-uncle-lemon
File name:Shipping Documents_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:819'712 bytes
First seen:2020-10-29 06:05:54 UTC
Last seen:2020-10-29 09:59:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c301f8f7be1bb1fcc854a8241f1007d0 (11 x NanoCore, 2 x Loki, 1 x HawkEye)
ssdeep 12288:yxUZMROg9MX2SKezgunq8yw4n7mioXqDwbzxR3EUUl1MVE:vZP6M5nq8sLlDwvEl1MO
TLSH 1C058E26F2A148F3C16729F89C3B57A4682AFE1C2D24F9466BF71C485F7D6433429293
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/80809/
Detection(s):
Win.Malware.Generic-9784689-0
Create hunting rule

Win.Trojan.Netwire-9784905-0
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Unauthorized injection to a recently created process
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/515781
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 306999 Sample: Shipping Documents_pdf.exe Startdate: 29/10/2020 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Multi AV Scanner detection for submitted file 2->47 49 Detected unpacking (changes PE section rights) 2->49 51 11 other signatures 2->51 7 Shipping Documents_pdf.exe 3 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 53 Writes to foreign memory regions 7->53 55 Allocates memory in foreign processes 7->55 57 Maps a DLL or memory area into another process 7->57 59 Queues an APC in another process (thread injection) 7->59 12 Shipping Documents_pdf.exe 15 4 7->12         started        16 notepad.exe 1 7->16         started        18 Shipping Documents_pdf.exe 3 7->18         started        20 Shipping Documents_pdf.exe 3 10->20         started        process5 dnsIp6 39 dunlopmills.ro 92.114.95.185, 26, 49746, 49748 GTSCEGTSCentralEuropeAntelGermanyCZ Romania 12->39 41 elb097307-934924932.us-east-1.elb.amazonaws.com 184.73.247.141, 443, 49745 AMAZON-AESUS United States 12->41 43 4 other IPs or domains 12->43 69 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->69 71 Tries to steal Mail credentials (via file access) 12->71 73 Drops VBS files to the startup folder 16->73 75 Delayed program exit found 16->75 77 Writes to foreign memory regions 20->77 79 Allocates memory in foreign processes 20->79 81 Maps a DLL or memory area into another process 20->81 22 Shipping Documents_pdf.exe 4 20->22         started        26 notepad.exe 1 20->26         started        29 Shipping Documents_pdf.exe 20->29         started        signatures7 process8 dnsIp9 33 54.227.255.202, 443, 49747 AMAZON-AESUS United States 22->33 35 nagano-19599.herokussl.com 22->35 37 4 other IPs or domains 22->37 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->61 63 Tries to steal Mail credentials (via file access) 22->63 65 Tries to harvest and steal ftp login credentials 22->65 67 Tries to harvest and steal browser information (history, passwords, etc) 22->67 31 C:\Users\user\AppData\Roaming\...\chrome.vbs, ASCII 26->31 dropped file10 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/04a15570edeff9cc669143962167d7672296d355a4cf02bedd1605145616907d/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-10-29 01:29:51 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=asqvk4hn5744yzuriolccz6xm4rjnu2vuthqfpw5cycrivqwsb6q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201029-64wpqb1qkx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar a440abd5d10b084e503c169b8e1e0a3c122a496336a0df4aa054f54f517bb80f

AgentTesla

Executable exe 04a15570edeff9cc669143962167d7672296d355a4cf02bedd1605145616907d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a440abd5d10b084e503c169b8e1e0a3c122a496336a0df4aa054f54f517bb80f
Cape
Cape
https://www.capesandbox.com/analysis/80809/
  
Dropped by
SHA256 148a5294a29ec09f249244dc3e95fdeb22fab4f79623dfd15f026565d995fe79
  
Dropped by
SHA256 b145c862dce5a895ccfb0161b4e7cc54e217a48d6049b5b3d8a2e37c916bb88c

Comments