MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 04fd7b2d4a88e576168ebc669d15c4507339d5d08722d333663809e4a8c2ebd3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 04fd7b2d4a88e576168ebc669d15c4507339d5d08722d333663809e4a8c2ebd3
SHA3-384 hash: 7bb22a91e4ca2952dc27fd897918ac1fc5e46a6887bb6d1dc7051cabc5396774994458205c4b154ffb2b24367c544aa5
SHA1 hash: f2bcae4c4df8b1306c5237969aa53d79bce173a3
MD5 hash: 731203aa986840834ce696b27abb07d5
humanhash: zebra-hot-artist-triple
File name:aass.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:253'952 bytes
First seen:2020-07-23 23:12:06 UTC
Last seen:2020-07-23 23:34:31 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:eYcbICnk1g1D4toynutiw4tqLwQL7cUDPuInUSsUo9Dk0EqB7hW:pvCDWoynutXkQLYUDPualsrzEq7I
Threatray 10'907 similar samples on MalwareBazaar
TLSH 67442331E6C86BAACD42FFF0496143A0BFDE6D560134E1CB65FD0D8D9E22938959B1D0
Reporter malware_traffic
Tags:AgentTesla exe FTP

Intelligence

File Origin
# of uploads :
2
# of downloads :
96
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/31976/
Detection(s):
SecuriteInfo.com.Trojan.Siggen6.20332.20851.516.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Loading a driver
Launching a process
Loading a system driver
Launching a service
Creating a service
Creating a process with a hidden window
Searching for the window
Changing a file
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Possible injection to a system process
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Forced shutdown of a system process
Enabling autorun for a service
Forced shutdown of a browser
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/396820
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 250554 Sample: aass.exe Startdate: 24/07/2020 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Antivirus / Scanner detection for submitted sample 2->57 59 Yara detected AgentTesla 2->59 61 5 other signatures 2->61 7 aass.exe 8 2->7         started        10 winlogon.exe 2->10         started        13 winlogon.exe 2 2->13         started        15 winlogon.exe 2 2->15         started        process3 file4 29 C:\Users\user\AppData\...\winlogon.exe, PE32 7->29 dropped 31 C:\Users\...\winlogon.exe:Zone.Identifier, ASCII 7->31 dropped 33 C:\Users\user\AppData\Local\...\aass.exe.log, ASCII 7->33 dropped 17 winlogon.exe 2 3 7->17         started        63 Injects a PE file into a foreign processes 10->63 20 winlogon.exe 10->20         started        23 winlogon.exe 15 12 13->23         started        25 winlogon.exe 15->25         started        signatures5 process6 dnsIp7 37 Antivirus detection for dropped file 17->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->39 41 Machine Learning detection for dropped file 17->41 53 2 other signatures 17->53 27 winlogon.exe 4 17->27         started        43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->43 45 Tries to steal Mail credentials (via file access) 20->45 47 Tries to harvest and steal ftp login credentials 20->47 49 Tries to harvest and steal browser information (history, passwords, etc) 20->49 35 ftp.skibokshotell.no 178.164.11.103, 21, 49157, 49470 NTE-BREDBANDNIX1OsloNorwayNO Norway 23->35 51 Installs a global keyboard hook 23->51 signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/04fd7b2d4a88e576168ebc669d15c4507339d5d08722d333663809e4a8c2ebd3/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Suspicious
First seen:
2020-07-23 23:14:07 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=at6xwlkkrdsxmfuoxrtj2foekbzttvoqq4rngm3ghae6jkgc5pjq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01bc78a6f3181017aa8777831c018ab764d19a01dcc20d0dc7337954d31e2f59
AgentTesla
2391c9beb21916a6b7f18cd2dadf9f9c19a060b75791f6052e65a683161d7a60
AgentTesla
5a023b9d4e63aab62c95820c69b08fc286f1ff99f7eb9381c5a83b258784063f
AgentTesla
681eec22b304d975c119e8b5721abd7b4ee6586361b51dda2c93f5a4c426abe4
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
743cd5b161539860d7779adcc10b393ebb812c8c201b98c974b43ff1f404c34d
AgentTesla
8a463f15c830e566292963bf3473b16288e71350e97d84359499fd33b7329a66
AgentTesla
d2b81427fe1f056fcb3678852c1f56cb4dc21fe8c3cc7dc9f83cb77144284164
AgentTesla
e72bbdfcc56339eb2aca00e01162d7fdd1004d9992150f2dea1b014d6b4469ac
AgentTesla
fbc8a4a7c795fa996462ad57db81b1b8c06e95cd9f6a6c0564c749682cdd6692
AgentTesla
+ 10'897 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200723-xn7wptaz2n/
Behaviour
Enumerates system info in registry
Modifies data under HKEY_USERS
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Modifies WinLogon to allow AutoLogon
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/04fd7b2d4a88e576168ebc669d15c4507339d5d08722d333663809e4a8c2ebd3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/31976/

Comments