MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9
SHA3-384 hash: cb30f42440f03d2991698c841e55043ee9a4300ad1735e3983e06198955ba3f4a6dd8ef4f32ab0042e320f397d4124af
SHA1 hash: 57f84fc433737662a1edaf8675f3f28038347126
MD5 hash: a99ce8dca56f302d6df6c8abcfc707bc
humanhash: beryllium-cola-yellow-mountain
File name:VQiCue7HEz6VM3g.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:607'232 bytes
First seen:2020-08-31 10:34:39 UTC
Last seen:2020-08-31 12:44:23 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:QnGG/1jcsmvXkQt08vOdEt/kWbv3U76YVsrCnnxSxOErlaqtnDiDC60hp7o6T+oL:gGmkUUtrbKHOaqt
Threatray 9'584 similar samples on MalwareBazaar
TLSH 85D41301297C6B76D6F20BFA1C2D3E2ED3A0746B540ED6ED6CE061D207B73588736A46
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: devex.com
Sending IP: 37.48.85.241
From: R.K. Mahobe <rkmaho@devex.com>
Reply-To: info@devex.com>
Subject: Request offer for the Attached Equipments
Attachment: EquipmentsOrder.Pdf .rar (contains "VQiCue7HEz6VM3g.exe")

Intelligence

File Origin
# of uploads :
3
# of downloads :
80
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53400/
Detection(s):
SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/455245
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 279996 Sample: VQiCue7HEz6VM3g.exe Startdate: 31/08/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 6 other signatures 2->37 7 VQiCue7HEz6VM3g.exe 4 2->7         started        process3 file4 19 C:\Users\user\AppData\...\qRkTaxBqiU.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp3ED6.tmp, XML 7->21 dropped 23 C:\Users\user\...\VQiCue7HEz6VM3g.exe.log, ASCII 7->23 dropped 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 11 VQiCue7HEz6VM3g.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 smtp.yandex.ru 77.88.21.158, 49741, 587 YANDEXRU Russian Federation 11->25 27 192.168.2.1 unknown unknown 11->27 29 smtp.yandex.com 11->29 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 04:12:56 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=bfxdm44sefv66fvxxmeb5qj63p3ru52ll6g6ch7cfik75usu7deq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1a55a181a00b302c127b8871d999942cd3f9b83cfb3172cca4894fbbea1b668f
AgentTesla
4ba3daeca73f3cde751424f8ec9972e274e0ffe915ce7c58eac0bf4d278920b1
AgentTesla
6c76b0e2b57067304f41c2933d486c67d798d150bff984acc0358e66d046036a
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
9b2c90b93c9af7fb8cec51700f72b69a78e7d730f34ad7804911b6b0c139c4ef
AgentTesla
a064d4e5e3d00ac866cbdd8aedc407aaeb62ec1cc68885a36ef6ec71375edc68
AgentTesla
a7c404c180deb431bd646e805be187aa4d65c1c2eb6d38c9c288af96d21d2eb8
AgentTesla
ccc2680bb054771a7c3677eb8075e3a33b2319c523c0c97976f1ada8896aa8b7
AgentTesla
cffb6736521771821af04e2caaaf125e1d475bfe7166fcb39ff7db14c41931a7
AgentTesla
ed9c2df25d44534262a1fd849fefcef05b2255ed793228b6446c1dd540d9b928
AgentTesla
+ 9'574 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer evasion spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200831-14bfct83d6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 4ac3bf1211efa081b87d49d3b40d8851b0fc66a29f6ad3beb3cb1649d02b8478

AgentTesla

Executable exe 096e367392216bef16b7bb081ec13edbf71a774b5f8de11fe22a15fed254f8c9

(this sample)

  
Dropped by
MD5 698029bb07e262b93f2fe800aa188675
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 4ac3bf1211efa081b87d49d3b40d8851b0fc66a29f6ad3beb3cb1649d02b8478
Cape
Cape
https://www.capesandbox.com/analysis/53400/

Comments