MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932
SHA3-384 hash: 8ae314482c0181f6255e3193f95d1192caa756c951e0acab140888c734e8edda8c2d142212225027064d8742be6a7081
SHA1 hash: 172e9c9e45d8012177f1b63c6ed663a36ca94e3c
MD5 hash: 9a291b5aa504dea948ecbd9c8ed027bb
humanhash: florida-beer-hawaii-wyoming
File name:9a291b5aa504dea948ecbd9c8ed027bb.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'535'488 bytes
First seen:2020-10-19 11:05:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:cToITadHszY+FnT+0aqwfdfqaPn7uAaS6qZT6pZ1cvWzooDEOd++EvMLjodplhQ5:Soua0FTefgav7n7p6pLOwooldgvMHod9
Threatray 20 similar samples on MalwareBazaar
TLSH 9F65237A5FEC1D62D7BE0D7A403547106338F74D5843BB2BB811AD1C1AA6B7CCE068A8
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
86
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.236638.2448.157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Deleting a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Reading critical registry keys
Launching the process to change network settings
Delayed writing of the file
Sending an HTTP GET request
Sending a UDP request
Creating a window
Creating a file in the %temp% directory
Launching a process
Changing the Windows explorer settings to hide files extension
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Result
Threat name:
Osno
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495319
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide user accounts
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Osno Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300115 Sample: v3yPKhlkbf.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 73 Malicious sample detected (through community Yara rule) 2->73 75 Antivirus detection for dropped file 2->75 77 Sigma detected: Capture Wi-Fi password 2->77 79 14 other signatures 2->79 8 v3yPKhlkbf.exe 9 2->8         started        12 Chrome updaters.exe 2->12         started        process3 file4 55 C:\Users\user\AppData\...\Chrome updaters.exe, PE32 8->55 dropped 57 C:\...\Chrome updaters.exe:Zone.Identifier, ASCII 8->57 dropped 59 C:\Users\user\AppData\...\v3yPKhlkbf.exe.log, ASCII 8->59 dropped 83 Drops PE files to the startup folder 8->83 85 Writes to foreign memory regions 8->85 87 Injects a PE file into a foreign processes 8->87 14 MSBuild.exe 16 25 8->14         started        61 C:\Users\user\AppData\Local\...\r77-x64.dll, PE32+ 12->61 dropped 63 C:\Users\user\AppData\Local\...\r77-x86.dll, PE32 12->63 dropped 18 MSBuild.exe 12->18         started        signatures5 process6 dnsIp7 65 245.246.1.0.in-addr.arpa 14->65 67 ip-api.com 208.95.112.1, 49731, 49740, 80 TUT-ASUS United States 14->67 69 192.168.2.1 unknown unknown 14->69 89 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 14->89 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 14->91 93 Adds a directory exclusion to Windows Defender 14->93 95 Disables the Windows task manager (taskmgr) 14->95 20 cmd.exe 14->20         started        23 cmd.exe 14->23         started        25 powershell.exe 25 14->25         started        35 2 other processes 14->35 71 245.246.1.0.in-addr.arpa 18->71 97 Tries to harvest and steal browser information (history, passwords, etc) 18->97 99 Tries to harvest and steal WLAN passwords 18->99 27 cmd.exe 18->27         started        29 powershell.exe 18->29         started        31 powershell.exe 18->31         started        33 cmd.exe 18->33         started        signatures8 process9 signatures10 81 Tries to harvest and steal WLAN passwords 20->81 37 conhost.exe 20->37         started        49 3 other processes 20->49 51 2 other processes 23->51 39 conhost.exe 25->39         started        53 2 other processes 27->53 41 conhost.exe 29->41         started        43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 35->47         started        process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 10:01:40 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
suspicious
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
AgentTesla
080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72
AgentTesla
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
AgentTesla
3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
AgentTesla
5073dae4db5d373083392acc876b2cee4a9c0a06001be580dd5fbca8f6124f68
AgentTesla
88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
AgentTesla
94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990
AgentTesla
c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
AgentTesla
c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0
AgentTesla
e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713
AgentTesla
+ 10 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer evasion persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201019-41ymsh6qd6/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Disables Task Manager via registry modification
AgentTesla Payload
AgentTesla
Modifies visibility of file extensions in Explorer
Unpacked files
SH256 hash:
12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932
MD5 hash:
9a291b5aa504dea948ecbd9c8ed027bb
SHA1 hash:
172e9c9e45d8012177f1b63c6ed663a36ca94e3c
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
SH256 hash:
035fa1cf6e70d6204bf67c5aaa62b18e4d6df9ed5448869380a1b4a4406c8381
MD5 hash:
740ed59be24adcb227a78ac9c98bbca5
SHA1 hash:
0c6a27f7ddad3c65ce7e37af64ed434a282fc0fc
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
SH256 hash:
173f74176d13c235d744f9e32d658f6301a6b1aa81a014060ba763b55e516fe3
MD5 hash:
4a35aaf2d4ab47f5ea6f75d2de75c831
SHA1 hash:
007676d2097defe7f793f9fb1ffe2f48c0c94ac0
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
SH256 hash:
137166eda2b78d72b7a497e9f4ac81e9edad64e880b20f33d49384bd2dadd601
MD5 hash:
3065fcbc9772cf7408cd449b48e52a2a
SHA1 hash:
1f611afd68d7784cc49c66aec37d842e4c3350db
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
SH256 hash:
6b50dffc03fa2eb27a7cfb43c0e9fc31c95411e2193a564eb6b6578e28155839
MD5 hash:
21f6685dd6b90f73bf9586acbc41f408
SHA1 hash:
33fcfb9cb7c7e698c1c7da27174ded1e00cfdf0a
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
SH256 hash:
1d8359b244c889af79224d46468eadcc50a0ddd2a261c18ebd1b727a8b2283ef
MD5 hash:
ff37a0940d35f2d857d64fb53a7704c9
SHA1 hash:
9de1d5e626478840227e63215df727d139dc114a
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
SH256 hash:
e3f9ac02690808ee8e82aeb07cb5c2a5bea0ec6b704f12749e6e1de14b996b55
MD5 hash:
80a1256052a8c22d8417f99945170b82
SHA1 hash:
d9a167b2a7e3611717b00a037686203935900297
Link:
https://www.unpac.me/results/d0e7b5c4-3daf-44da-8ba3-da37d08ff8a5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Ransomware
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/716645/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72935/

Comments