MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18b15e7dea76f8789482144395615e606a6db4eeff9e80ea368ae83503a490e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 18b15e7dea76f8789482144395615e606a6db4eeff9e80ea368ae83503a490e3
SHA3-384 hash: 994d3cbdcbd582d0bca263c5a34c1e9df83ef75bb9d5b9a353c2d344531d8744968ed57271846c9e6f62e8be3a44940b
SHA1 hash: 94e3478a2c22f5638e409d25c788dd3f5769d3e4
MD5 hash: 5de4cabb7f28e15b05da3c499783b606
humanhash: music-minnesota-green-quebec
File name:Payment_Advice_Ref[GF54567754643].exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'304'064 bytes
First seen:2020-12-22 13:33:33 UTC
Last seen:2020-12-22 20:12:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 24576:4MBezwTTQ0l4DsPhePguVFK5o67wDzLH:j/wopP2BVFYo6ELH
Threatray 2'218 similar samples on MalwareBazaar
TLSH 0055BF243DEA4005F233AF76C6DA70998ABEFE737E43A12A6454320F4633E49ED41579
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
290
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment_Advice_Ref[GF54567754643].exe
Verdict:
Malicious activity
Analysis date:
2020-12-22 13:46:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/5376ad3c-7335-4768-bc95-1c71c38bbb55

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108903/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35814359.1099.26289.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568331
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Allocates memory in foreign processes
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333237 Sample: Payment_Advice_Ref[GF545677... Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 52 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->52 54 Multi AV Scanner detection for domain / URL 2->54 56 Found malware configuration 2->56 58 12 other signatures 2->58 7 Payment_Advice_Ref[GF54567754643].exe 7 2->7         started        11 lEmohP.exe 2 2->11         started        13 lEmohP.exe 1 2->13         started        process3 file4 32 C:\Users\user\AppData\...\ozASeSEJuFcKVq.exe, PE32 7->32 dropped 34 C:\...\ozASeSEJuFcKVq.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmp1687.tmp, XML 7->36 dropped 38 Payment_Advice_Ref...4567754643].exe.log, ASCII 7->38 dropped 60 Writes to foreign memory regions 7->60 62 Allocates memory in foreign processes 7->62 64 Injects a PE file into a foreign processes 7->64 15 RegSvcs.exe 2 4 7->15         started        20 schtasks.exe 1 7->20         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 40 transgear.in 204.11.58.28, 49754, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->40 42 mail.transgear.in 15->42 28 C:\Users\user\AppData\Roaming\...\lEmohP.exe, PE32 15->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 15->30 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->44 46 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->46 48 Tries to steal Mail credentials (via file access) 15->48 50 5 other signatures 15->50 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/18b15e7dea76f8789482144395615e606a6db4eeff9e80ea368ae83503a490e3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-22 05:48:41 UTC
File Type:
PE (.Net Exe)
Extracted files:
37
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dcyv47pko34hrfeccrbzkyk6mbvg3nho76pib2rwrludka5esdrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b22054e5e50c8a9323d4bd781fbeaff2611f65299b321fe2a1dc855d70c8904
AgentTesla
1d35fbe1961f63fcc426c5a332d5dfc93dd051ecdfd17ea47790f80f22171ce1
AgentTesla
4c42b2d7062de59d0e879b4ee2760059602a8f1283d80a821db2ea2940c186a9
AgentTesla
4f09f892c1736f0feecb9a0b4943b366d54b4693ddb29f9befaed99358ac314d
AgentTesla
5a3ca8fc0e2960f3e95dbadb80baf53731b5e5201c3e32cb72c287d8a5711be3
AgentTesla
62875bbcc1ccebc66490cf8aa7781b959500dec28eee481312a1da08872eb465
AgentTesla
7dedec20bd48185fe3552f7e1b739f71179589b882d503fab5303301b22cb3cb
AgentTesla
a915c3b5063684919714518b71d0029802c7b6ff100867abe5ce7d935d8ea27f
AgentTesla
d8bc8c8cb41e1541453fbf2f6cef2f6db65e6173a2d3c41a995d789314986d96
AgentTesla
e6cf479a5e1cce24253d7e37c22c77ee68de99d64b4004c3b9d68d78f0067989
AgentTesla
+ 2'208 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201222-bkexg5kkcn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
a9c1fc65afb8a5af7af4f2f7825f55e9cc5d3f1ecf19e2155eca3cc7057ee677
MD5 hash:
422e369027b127adc789bb9893044aaf
SHA1 hash:
35a1dccf0522bac4db6872aa3657a5bc83c55efe
Link:
https://www.unpac.me/results/a7a15b95-0f1b-421c-b387-5c5e82eb19e8/
SH256 hash:
f59e64b75a1fadbb08cf1fa66be05da45dddb9068af50aa77ee24d19f8331b9f
MD5 hash:
5d5dfabd211b7a51de77266ee732f5de
SHA1 hash:
adc1131d30203c4f23e1a109e8d0666523e5f517
Link:
https://www.unpac.me/results/a7a15b95-0f1b-421c-b387-5c5e82eb19e8/
SH256 hash:
d8e61b496a5712b6a99f59eca6bcf6a84fc84d48fbd93a0a50e542c0137f7458
MD5 hash:
d92f2efc6cd523dc4bc8bb5dbd6e2928
SHA1 hash:
b0c9fd50a7d587533a9c2ca4d5e699855fbdfdd4
Link:
https://www.unpac.me/results/a7a15b95-0f1b-421c-b387-5c5e82eb19e8/
SH256 hash:
3ca9cf478845d74c61a836a02908c7d26d5e0b2fb8d03f92bfe5ed4a8865527a
MD5 hash:
ccaf4c52861605afe12d4fb1f927ef32
SHA1 hash:
c8c52901e58187e7597c984fb893410e613d571b
Link:
https://www.unpac.me/results/a7a15b95-0f1b-421c-b387-5c5e82eb19e8/
SH256 hash:
18b15e7dea76f8789482144395615e606a6db4eeff9e80ea368ae83503a490e3
MD5 hash:
5de4cabb7f28e15b05da3c499783b606
SHA1 hash:
94e3478a2c22f5638e409d25c788dd3f5769d3e4
Link:
https://www.unpac.me/results/a7a15b95-0f1b-421c-b387-5c5e82eb19e8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/18b15e7dea76f8789482144395615e606a6db4eeff9e80ea368ae83503a490e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ffe14f4cf5fccfe2573c5b2f02470adb3b4878dc1e28c415e39fe776cd5e30ff

AgentTesla

Executable exe 18b15e7dea76f8789482144395615e606a6db4eeff9e80ea368ae83503a490e3

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ffe14f4cf5fccfe2573c5b2f02470adb3b4878dc1e28c415e39fe776cd5e30ff
Cape
Cape
https://www.capesandbox.com/analysis/108903/

Comments