MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e
SHA3-384 hash: 9b32be202c024b434b1c58e560f6746e99b972f1ebcdf6a6052a1230f425606e7fd4a6504c576c38c9e3657603e36066
SHA1 hash: 5d6dbb62821e1d69b11227380f334d7b3f0112dc
MD5 hash: 1e7a9197082dc74edcc8f18df054e75a
humanhash: lima-steak-finch-iowa
File name:COMPANY PROFILE.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:645'120 bytes
First seen:2020-10-19 06:29:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:JAy9EP1NA8neGemsnCEimcs0Il+yMn9D5uM7zLjr:XGPTneGem05imr5kyK9D5uq/r
Threatray 666 similar samples on MalwareBazaar
TLSH 41D4CF366A05AF19D1BC433BE0D5182093FADC07D322D1AB7EF961DC2991FD8A632617
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: nasegypt.com
Sending IP: 37.49.225.235
From: JSBP Construkt Inc <h.mostapha@nasegypt.com>
Reply-To: Email ADMIN <noreply@domain-admin.com>
Subject: RFQ-ASAP
Attachment: COMPANY PROFILE.rar (contains "COMPANY PROFILE.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72724/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494840
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299871 Sample: COMPANY PROFILE.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 Sigma detected: Scheduled temp file as task from temp location 2->37 39 8 other signatures 2->39 7 COMPANY PROFILE.exe 7 2->7         started        process3 file4 23 C:\Users\user\AppData\...\TzhnslqCCGjIai.exe, PE32 7->23 dropped 25 C:\...\TzhnslqCCGjIai.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\user\AppData\Local\...\tmp1EC2.tmp, XML 7->27 dropped 29 C:\Users\user\...\COMPANY PROFILE.exe.log, ASCII 7->29 dropped 41 Writes to foreign memory regions 7->41 43 Injects a PE file into a foreign processes 7->43 11 RegSvcs.exe 2 7->11         started        15 RegSvcs.exe 7->15         started        17 schtasks.exe 1 7->17         started        19 2 other processes 7->19 signatures5 process6 dnsIp7 31 mail.privateemail.com 198.54.122.60, 49760, 587 NAMECHEAP-NETUS United States 11->31 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 55 2 other signatures 11->55 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->53 21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-18 23:47:13 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=djergzxvculkslbwvgw7dw34tqmo42xcjoyywsrjnuhb2d4bsexa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
026b38e8eb0e4f505dc5601246143e7e77bbd2630b91df50622e7a14e0728675
AgentTesla
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
5193daa3e21a010020f044a9167f141a4c9e62d8f19b21dc82049045a2fbee48
AgentTesla
80f45086395417ea3bda68a20d2fc5b0bc5050c000023d82544fd2b5b5a8ce89
AgentTesla
874d56e400622b93fb1606b348a4fc41c112de5c69cc13ef0845d378db9ef6a6
AgentTesla
a02051e8bd0706ecb404bcc7df771bc035228890fc2ac09e1b2d02e686136520
AgentTesla
ba495069a1b601a12f32f6e346dfe60958f73caa0048fb702e357fee17d58d54
AgentTesla
bd4ef5e45ec6e18bc4fc2225588ea4d01151f8f82aeb073a75868bdbcfc66b5a
AgentTesla
de92f367f0cd6124c89fca0b754bf8dafe8a6a993b56380edb5fc8676c58cdb5
AgentTesla
+ 656 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion
Link:
https://tria.ge/reports/201019-35pcfscvla/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e
MD5 hash:
1e7a9197082dc74edcc8f18df054e75a
SHA1 hash:
5d6dbb62821e1d69b11227380f334d7b3f0112dc
Link:
https://www.unpac.me/results/66da0c6e-750d-4c8f-b236-58662e2ffe8b/
SH256 hash:
c24ae2c6f81846600f83546062af7f848e32d6fa6c606986ea373f0341383b7e
MD5 hash:
28b3742f7c2218dc0a37752f2cbc2e57
SHA1 hash:
443c70055b67a34aedef9563a05737dfbbbea84e
Link:
https://www.unpac.me/results/66da0c6e-750d-4c8f-b236-58662e2ffe8b/
SH256 hash:
49edf1b56f28e213cc4efae549c7bc34548443efdcc50a3cb975b1e3205c5ca3
MD5 hash:
d380b8622a43695258a17d0ff62597de
SHA1 hash:
7238b54005651b15d4c1a7110b30133c0e037b52
Link:
https://www.unpac.me/results/66da0c6e-750d-4c8f-b236-58662e2ffe8b/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/66da0c6e-750d-4c8f-b236-58662e2ffe8b/
SH256 hash:
6efef14c2d37b6a97606d3cd86ec4c534586bc1e2d58766028750bea6c80c4be
MD5 hash:
c40c8c85823fb1e74676a49036e38e40
SHA1 hash:
fddce8094b7fbd65734a57e2edd6c6f901cefe93
Link:
https://www.unpac.me/results/66da0c6e-750d-4c8f-b236-58662e2ffe8b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:RSharedStrings
Create hunting rule
Author:Katie Kleemola
Description:identifiers for remote and gmremote
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar e4821f23851252f25c611325d6a12516d725210c2b69c8d254cf459cce0dd8b4

AgentTesla

Executable exe 1a491366f51516a92c36a9adf1db7c9c18ee6ae24bb18b4a296d0e1d0f81912e

(this sample)

  
Dropped by
MD5 c696d15d3c4b46dc8f01f8d4ed39a209
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e4821f23851252f25c611325d6a12516d725210c2b69c8d254cf459cce0dd8b4
Cape
Cape
https://www.capesandbox.com/analysis/72724/

Comments