MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd
SHA3-384 hash: 5d36c40c1382ef881f7c4b6a2730aa4b4c51c680699eb9532a93d9a0eb99880abf9c7d66656c0d4cede4c7accbd76a1a
SHA1 hash: d5690bc2382fb5b3573f384e54c5c0024d9d1e3f
MD5 hash: 295f535ef5d83393525677f6c228eee1
humanhash: alabama-red-speaker-spring
File name:LC DRAFT COPY_images.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:543'744 bytes
First seen:2020-07-25 07:44:34 UTC
Last seen:2020-07-25 08:57:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 6144:douArpLRZKGn6pXJV7fxXI1GaIoTYA01bRk4qeYjKWn5vpAzALYlnNu3OLO5RqnR:dR0RZKGnoxxXIkahx03YdBKkLYlE3oL
Threatray 10'697 similar samples on MalwareBazaar
TLSH 84C44A4473D84708F0BE2F367C794A990976FCD7AEB4E62E0D95248C1C62B41D962F3A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.example.com
Sending IP: 103.147.184.169
From: Huanggang Yongan Pharmaceutical Co.,Ltd <yongan@yongangroup.com>
Subject: Re: LC Draft ,please chck & confirm
Attachment: LC DRAFT COPY_images.rar (contains "LC DRAFT COPY_images.exe")

AgentTesla SMTP exfil server:
smtp.office365.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/32346/
Detection(s):
SecuriteInfo.com.Variant.Bulz.5843.30161.4453.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/397887
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Drops PE files to the user root directory
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 251125 Sample: LC DRAFT COPY_images.exe Startdate: 25/07/2020 Architecture: WINDOWS Score: 100 77 Antivirus detection for dropped file 2->77 79 Antivirus / Scanner detection for submitted sample 2->79 81 Multi AV Scanner detection for dropped file 2->81 83 6 other signatures 2->83 13 LC DRAFT COPY_images.exe 3 2->13         started        17 inquiry.exe 2 2->17         started        19 inquiry.exe 2->19         started        process3 file4 69 C:\Users\user\Office, PE32 13->69 dropped 71 C:\Users\user\Office:Zone.Identifier, ASCII 13->71 dropped 111 Maps a DLL or memory area into another process 13->111 113 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->113 21 LC DRAFT COPY_images.exe 1 13->21         started        24 RegAsm.exe 13->24         started        26 RegAsm.exe 1 4 13->26         started        28 RegAsm.exe 13->28         started        30 conhost.exe 17->30         started        32 conhost.exe 19->32         started        signatures5 process6 signatures7 87 Maps a DLL or memory area into another process 21->87 34 LC DRAFT COPY_images.exe 1 21->34         started        37 RegAsm.exe 2 21->37         started        89 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 24->89 91 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 24->91 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->93 process8 signatures9 85 Maps a DLL or memory area into another process 34->85 39 LC DRAFT COPY_images.exe 34->39         started        42 RegAsm.exe 3 34->42         started        process10 signatures11 99 Maps a DLL or memory area into another process 39->99 44 LC DRAFT COPY_images.exe 39->44         started        47 RegAsm.exe 39->47         started        101 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->101 process12 signatures13 103 Maps a DLL or memory area into another process 44->103 49 LC DRAFT COPY_images.exe 44->49         started        52 RegAsm.exe 44->52         started        105 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->105 process14 signatures15 73 Maps a DLL or memory area into another process 49->73 54 LC DRAFT COPY_images.exe 49->54         started        57 RegAsm.exe 49->57         started        75 Hides that the sample has been downloaded from the Internet (zone.identifier) 52->75 process16 signatures17 95 Maps a DLL or memory area into another process 54->95 59 RegAsm.exe 54->59         started        63 LC DRAFT COPY_images.exe 54->63         started        97 Hides that the sample has been downloaded from the Internet (zone.identifier) 57->97 process18 file19 67 C:\Users\user\AppData\Roaming\...\inquiry.exe, PE32 59->67 dropped 107 Hides that the sample has been downloaded from the Internet (zone.identifier) 59->107 109 Maps a DLL or memory area into another process 63->109 65 RegAsm.exe 63->65         started        signatures20 process21
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd/
Threat name:
ByteCode-MSIL.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-07-25 01:54:21 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=djg6uxvn27oukgwzue52dh6ocgzg4m7au4ygml5tsfd6u7ylss6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1eeb2016c83b430e5e444f7dade67a84d441061180087ac57eb8f89d196d4773
AgentTesla
7786ef408278293766683d25a353680fc130041f487d7b97aae8ea77bd3f220c
AgentTesla
87dc16528521b99284a5d7e466d1cd5047c3ca27caaa05a0ea6ccd11b63dd3b8
AgentTesla
967360ebfc55336f03edccc32869b0e6b65c17e66fcdac083d4bcc185b852c0d
AgentTesla
977f37f6da287943b0d86e4b7a02cc4e346780361932262547cd369bad033c9b
AgentTesla
9bcfc07b259ef80e8e639dce55ae194b5bfd74902d825de9cef183035c8ca2c1
AgentTesla
9dc6752dd96670e64e948fc193015555f6fb75e2c3329342e02d986692d5e66f
AgentTesla
c2d6a58ae4cc93b225f512a127c751c63398d0fdb7f847b77c83cad6cb79e6bd
AgentTesla
d459d3db7a71231b9d10d59ba1f1ff3b25992216f4c78f4816e2fb2b5e169404
AgentTesla
f15d580cc1e0b17070f7fe48cb8d8a60177e4e8468d5b5f2008e6be5c3a85b42
AgentTesla
+ 10'687 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200725-vxr83jzzte/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar af7ba45194d6437e0f4832ae1d65fb2bbc6f7ffe35d8a7276acaa97d6cb19276

AgentTesla

Executable exe 1a4dea5eadd7dd451ad9a13ba19fce11b26e33e0a730662fb39147ea7f0b94bd

(this sample)

  
Dropped by
MD5 f4e68780a902bce93f6dcbe614b5d64e
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 af7ba45194d6437e0f4832ae1d65fb2bbc6f7ffe35d8a7276acaa97d6cb19276
Cape
Cape
https://www.capesandbox.com/analysis/32346/

Comments