MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72
SHA3-384 hash: ae14f8d57bbd549dd426df6b6e8e190dc9b4d0e95cdde7755969857c0a662db55a10661620efbbb6894d7df7e01fd628
SHA1 hash: 5c31ac9aa255c7a7c075220b13b38e707b57193c
MD5 hash: 993531f20c91433b76a32434c02f339f
humanhash: orange-summer-mockingbird-golf
File name:AP #DBL 18192020-reg_01.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'459'712 bytes
First seen:2020-10-19 06:38:45 UTC
Last seen:2020-10-19 08:24:42 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:G/ynwxEHLJyUc4YTNc0NQFqQdD+YTG0vNxJIeKW9dDXraPd87OzdtXsH18s/:GmXrJyprTNc0NQga+2LPKWPjAd87Ozd2
Threatray 17 similar samples on MalwareBazaar
TLSH A265223CD6E7EEC9C7FEC7B625FD2041DA9B84D26481E7568D4A797021277A088031BE
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.pistlewater.pw
Sending IP: 131.153.18.82
From: Bijith Nair <pistle@pistlewater.pw>
Subject: Fwd: TOP URGENT! - BL Draft Copy
Attachment: AP DBL 18192020-reg_01.gz (contains "AP #DBL 18192020-reg_01.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.38220.20639.12344.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file
Creating a window
Creating a process from a recently created file
Reading critical registry keys
Launching the process to change network settings
Delayed writing of the file
DNS request
Sending an HTTP GET request
Deleting a recently created file
Sending a custom TCP request
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Creating a process with a hidden window
Changing the Windows explorer settings
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings to hide files extension
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Unauthorized injection to a recently created process
Stealing user critical data
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Result
Threat name:
Osno
Create hunting rule
Detection:
malicious
Classification:
rans.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494834
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to hide user accounts
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Osno Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299868 Sample: AP #DBL 18192020-reg_01.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Malicious sample detected (through community Yara rule) 2->54 56 Sigma detected: Capture Wi-Fi password 2->56 58 10 other signatures 2->58 8 AP #DBL 18192020-reg_01.exe 8 2->8         started        process3 file4 44 C:\Users\user\AppData\Roaming\...\ctfmom.exe, PE32 8->44 dropped 46 C:\Users\...\AP #DBL 18192020-reg_01.exe.log, ASCII 8->46 dropped 62 Writes to foreign memory regions 8->62 64 Injects a PE file into a foreign processes 8->64 12 MSBuild.exe 19 20 8->12         started        16 ctfmom.exe 8->16         started        signatures5 process6 dnsIp7 50 ip-api.com 208.95.112.1, 49732, 80 TUT-ASUS United States 12->50 66 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->66 68 Changes the view of files in windows explorer (hidden files and folders) 12->68 70 Tries to harvest and steal browser information (history, passwords, etc) 12->70 74 4 other signatures 12->74 18 cmd.exe 12->18         started        21 cmd.exe 12->21         started        23 powershell.exe 25 12->23         started        25 2 other processes 12->25 72 Antivirus detection for dropped file 16->72 signatures8 process9 dnsIp10 60 Tries to harvest and steal WLAN passwords 18->60 28 conhost.exe 18->28         started        30 chcp.com 18->30         started        32 netsh.exe 18->32         started        34 findstr.exe 18->34         started        36 conhost.exe 21->36         started        38 tasklist.exe 21->38         started        40 conhost.exe 23->40         started        48 192.168.2.1 unknown unknown 25->48 42 conhost.exe 25->42         started        signatures11 process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 21:21:51 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=bahzs4xl7mygsrxccnbe54exbl75kxoimjn3jixt2pry2ktofvza._file
Verdict:
suspicious
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
AgentTesla
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
AgentTesla
204d3c9b626e4bbac7012901f30592bf7408c66edb80ce1dda55f6d9421cb7f8
AgentTesla
29e9bb0fe606371bd16d7f1476e089c9bf463caf5cd2c67ac2b3f1148e760a03
AgentTesla
3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
AgentTesla
5073dae4db5d373083392acc876b2cee4a9c0a06001be580dd5fbca8f6124f68
AgentTesla
51401fa98405461758f1602a4394280504e89b4bad49c97e4ea058a1c9788474
AgentTesla
88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
AgentTesla
ccdf6799e7fceaa24cdaaf41ba79fdafaf04a2a8e64dd9bf40cf3ddce9345adf
AgentTesla
f902d33ba5996db886cd1f33e62759cd13605c1c825e3214032f92c4fed730b8
AgentTesla
+ 7 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla evasion
Link:
https://tria.ge/reports/201019-y9vbb29hqe/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Loads dropped DLL
Reads user/profile data of web browsers
Disables Task Manager via registry modification
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies visibility of file extensions in Explorer
Unpacked files
SH256 hash:
2758ec4bd97b7ba91d58821acb08e78c346421168456cddab86df212568b6e6e
MD5 hash:
f3323ccbb032cfe7828a00648f9f1964
SHA1 hash:
7133fa5ba74c20733bcd6a7da2fe394dee52077e
Link:
https://www.unpac.me/results/6b6e885c-de41-4898-9f67-acf7bd954c84/
SH256 hash:
2cc442f7db3cf19c78d143b2ea017fc2e258e3660eb1bf14627d4a04a155e1a4
MD5 hash:
073eadcf98e663bab9596638b643ac73
SHA1 hash:
88a3e4308afc109d6605ac17870938c39bf612ae
Link:
https://www.unpac.me/results/6b6e885c-de41-4898-9f67-acf7bd954c84/
SH256 hash:
f4ef231870e1909cdc5a39a7c717f8cfb7387c7bbb17165f3bbb729ff079a695
MD5 hash:
8a9707e0ad1440e452dd2aff4971a839
SHA1 hash:
921d901d195e2ea38d3e5cf5a8bf8177b99c09f4
Link:
https://www.unpac.me/results/6b6e885c-de41-4898-9f67-acf7bd954c84/
SH256 hash:
4d6aeb22d0b3a140468c4645b767af97bb33e85244ef742219e40d7de6d8618b
MD5 hash:
9af533e1fe4f413bbdf6584cddf441e8
SHA1 hash:
ab12cd39ba246310de379d60b523c0c39b31c9b3
Link:
https://www.unpac.me/results/6b6e885c-de41-4898-9f67-acf7bd954c84/
SH256 hash:
e3f9ac02690808ee8e82aeb07cb5c2a5bea0ec6b704f12749e6e1de14b996b55
MD5 hash:
80a1256052a8c22d8417f99945170b82
SHA1 hash:
d9a167b2a7e3611717b00a037686203935900297
Link:
https://www.unpac.me/results/6b6e885c-de41-4898-9f67-acf7bd954c84/
SH256 hash:
080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72
MD5 hash:
993531f20c91433b76a32434c02f339f
SHA1 hash:
5c31ac9aa255c7a7c075220b13b38e707b57193c
Link:
https://www.unpac.me/results/6b6e885c-de41-4898-9f67-acf7bd954c84/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c5fa542519f710b174a1dd78fd27173e7059d99c4de6434a6a765b8aa780a8f8

AgentTesla

Executable exe 080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72

(this sample)

  
Dropped by
MD5 a73f4bad71d874ead98a882167cc1580
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c5fa542519f710b174a1dd78fd27173e7059d99c4de6434a6a765b8aa780a8f8
Cape
Cape
https://www.capesandbox.com/analysis/72747/

Comments