MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241
SHA3-384 hash: ec3d2c188c10e7414fc64b474afa9a5eb82b2e892bbe6cf203c03c17dcaf2ad529930e66bd5cf55cde28c8534e53a275
SHA1 hash: 837917dd7748ae07bd17357fa61045a75d30358e
MD5 hash: 6fc0b6bc27b1d5c59a1500e2aea68722
humanhash: spring-arizona-edward-east
File name:AdministratorDownloadsBL,.rar.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'313'280 bytes
First seen:2020-12-03 08:57:33 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:y4EaCNT+lMnN2/n9mUyGP4mIIDzFXi6cMOiKF+5QFV6ej2Ahp:y4Xc+lCsf9QztIDFi6CiKFbFxCAr
Threatray 1'650 similar samples on MalwareBazaar
TLSH 04550272B266BF58E8BD4BF4256016040FF978AB6624E35C9DE170DF25A3B004B11FA7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: dhl.com
Sending IP: 103.145.252.171
From: "Feray Kozan (DHL TR)" <Feray.Kozan@dhl.com>
Subject: Re: Shipping documents and BL
Attachment: AdministratorDownloadsBL,.rar.zip (contains "AdministratorDownloadsBL,.rar.exe")

AgentTesla SMTP exfil server:
mail.alsayyadi.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
151
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106564/
Detection(s):
SecuriteInfo.com.ArtemisTrojan.4487.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Forced shutdown of a system process
Unauthorized injection to a system process
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554471
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326336 Sample: AdministratorDownloadsBL,.rar.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 31 Yara detected AgentTesla 2->31 33 Yara detected AntiVM_3 2->33 35 .NET source code contains potential unpacker 2->35 37 4 other signatures 2->37 7 AdministratorDownloadsBL,.rar.exe 3 2->7         started        10 BAVLA.exe 4 2->10         started        12 BAVLA.exe 3 2->12         started        process3 signatures4 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 14 RegSvcs.exe 3 7->14         started        17 RegSvcs.exe 7->17         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process5 signatures6 51 Injects a PE file into a foreign processes 14->51 23 RegSvcs.exe 2 6 14->23         started        27 RegSvcs.exe 14->27         started        53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 17->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->55 process7 file8 29 C:\Users\user\AppData\Roaming\...\BAVLA.exe, PE32 23->29 dropped 45 Tries to steal Mail credentials (via file access) 23->45 47 Tries to harvest and steal browser information (history, passwords, etc) 23->47 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->49 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:46:48 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=csbu4qrk3a2y46vyd3fovre6v3onanwaqsvsnspdggj4e2ytqjaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
045b92b336103f95c9a5acff35461d8eb69bbf9aaed8158787362e2853a50e4c
AgentTesla
2afd51643d6941bd1cb12c0a3b998315bb72d2fd0b1f8f0ca557007e090e87b0
AgentTesla
497e1d0c02120ed816acd24e875f2bca394f778c6a8fce6e72a9aaede55b421e
AgentTesla
5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27
AgentTesla
6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f
AgentTesla
75264b6aba2081bf00b5744a1e78f0c2cc933ba030372ead5e70b1783e649e4a
AgentTesla
a4cbe2fef2108f52a5f1bde9893f60faabc1042137bf40229dcf54598e608c3b
AgentTesla
bacbd1e1b139791f7ca8eeba6a14cf7b34c9c010aca5ce7eb527aea212448868
AgentTesla
c822aa53c6e49a7aa3e32869936583cd7308a414974d76b9bdd196908befbc16
AgentTesla
e0bf431e6a5290be917784e83d5641db358d73b72cb2caa7ce1f05a5542da8c2
AgentTesla
+ 1'640 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201203-v2qzczffte/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241
MD5 hash:
6fc0b6bc27b1d5c59a1500e2aea68722
SHA1 hash:
837917dd7748ae07bd17357fa61045a75d30358e
Link:
https://www.unpac.me/results/c7d4943b-8608-4494-a91b-5ca0bb08129d/
SH256 hash:
5f40f0eb593f0202c8bf43fee6520149a951ced26c299bb7cdceb423e7422a27
MD5 hash:
efc1b8e9f7c1d679f1f4697ab72b658d
SHA1 hash:
0c5aac18919271414c794ead551809844276beb8
Link:
https://www.unpac.me/results/c7d4943b-8608-4494-a91b-5ca0bb08129d/
SH256 hash:
83a230425dced4f00c798972ba8b5b3762f95658aaa35b2e559fbd2d5dadc234
MD5 hash:
0153a6458991c6631f2a60dc9a207e66
SHA1 hash:
19c89e88839f47ffa6f0e67fccb70d70f46746b7
Link:
https://www.unpac.me/results/c7d4943b-8608-4494-a91b-5ca0bb08129d/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/c7d4943b-8608-4494-a91b-5ca0bb08129d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.75
Link:
https://yomi.yoroi.company/submissions/14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6ae002072ff8d8224c7a4c9cdb78d59e3420ee825b45ad5496919b349679efed

AgentTesla

Executable exe 14834e422ad8358e7ab81ecaeac49eaedcd036c084ab26c9e33193c26b138241

(this sample)

  
Dropped by
MD5 92b607e9673ddbaf0ead144d88d1b52b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106564/
  
Dropped by
SHA256 6ae002072ff8d8224c7a4c9cdb78d59e3420ee825b45ad5496919b349679efed

Comments