MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290
SHA3-384 hash: 5c97f0cf21dd1235ec6171382ec2ae50d90eea1703784abfdc982e12c30b519c28c1e2fcef591ab1c15b8eb3bae70c0c
SHA1 hash: 0692d788621c7661814646a74b67eda668770971
MD5 hash: 12db4a575e53027b750d4f3729f5a14e
humanhash: london-skylark-july-eleven
File name:12db4a575e53027b750d4f3729f5a14e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'679'744 bytes
First seen:2021-02-05 19:53:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:1ngjv83x7BA1bXPCC3yiJijrgD5p6CloB0VEU7o4h7XtsSp2L7x1WvBkFton1YfD:1
Threatray 11'084 similar samples on MalwareBazaar
TLSH 7F06F24ACD93C19D84B3CEF683FF705F12A9EB7E795A2490242AE2875B873C59744C21
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.spamora.net:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
283
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
12db4a575e53027b750d4f3729f5a14e.exe
Verdict:
Malicious activity
Analysis date:
2021-02-05 20:10:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/a0309507-bd09-4a3d-af32-d004e7f35e7a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115892/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Launching the default Windows debugger (dwwin.exe)
Creating a window
Using the Windows Management Instrumentation requests
Sending a UDP request
Reading critical registry keys
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Enabling autorun
Changing the hosts file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600785
Signature
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349412 Sample: 9qyjV3QacT.exe Startdate: 05/02/2021 Architecture: WINDOWS Score: 100 71 Found malware configuration 2->71 73 Yara detected AgentTesla 2->73 75 C2 URLs / IPs found in malware configuration 2->75 77 2 other signatures 2->77 7 9qyjV3QacT.exe 3 5 2->7         started        11 9qyjV3QacT.exe 3 2->11         started        14 9qyjV3QacT.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 63 C:\Users\user\AppData\...\9qyjV3QacT.exe, PE32 7->63 dropped 65 C:\Users\...\9qyjV3QacT.exe:Zone.Identifier, ASCII 7->65 dropped 91 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->91 93 Creates an undocumented autostart registry key 7->93 95 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->95 105 2 other signatures 7->105 18 9qyjV3QacT.exe 2 7->18         started        22 WerFault.exe 20 9 7->22         started        25 cmd.exe 1 7->25         started        69 192.168.2.1 unknown unknown 11->69 97 Hides threads from debuggers 11->97 99 Injects a PE file into a foreign processes 11->99 27 9qyjV3QacT.exe 11->27         started        29 WerFault.exe 11->29         started        35 2 other processes 11->35 31 WerFault.exe 14->31         started        37 3 other processes 14->37 101 Creates autostart registry keys with suspicious names 16->101 103 Creates multiple autostart registry keys 16->103 33 cmd.exe 16->33         started        file5 signatures6 process7 dnsIp8 67 mail.spamora.net 185.26.106.194, 49724, 49727, 587 ATE-ASFR France 18->67 79 Modifies the hosts file 18->79 81 Installs a global keyboard hook 18->81 55 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->55 dropped 39 conhost.exe 25->39         started        41 timeout.exe 1 25->41         started        57 C:\Windows\System32\drivers\etc\hosts, ASCII 27->57 dropped 83 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 27->83 85 Tries to steal Mail credentials (via file access) 27->85 87 Tries to harvest and steal ftp login credentials 27->87 89 Tries to harvest and steal browser information (history, passwords, etc) 27->89 59 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 29->59 dropped 61 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 31->61 dropped 43 conhost.exe 33->43         started        45 timeout.exe 33->45         started        47 conhost.exe 35->47         started        49 timeout.exe 35->49         started        51 conhost.exe 37->51         started        53 timeout.exe 37->53         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290/
Threat name:
ByteCode-MSIL.Trojan.Scarsi
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 19:54:19 UTC
AV detection:
10 of 29 (34.48%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkimqxpzok2fzzqqgbcrppshu5blptn2j4m7kte2nnzeize4skia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1c4a38783b7106da94c3bfdf1e3719a6e0761b2007441f035ca9ff38021dc2b5
AgentTesla
3bbed2bec4921aca55a13e5ccf12147bb43f164a915e9b1b0a0bfb9a54954409
AgentTesla
48e2e258e44d96537874773301324e9ac9d69086808fac632a599746cdb3bd91
AgentTesla
6b24da236543d38133dc41cadcf3dea51bc290479b3d669031a2c8668a620648
AgentTesla
74561e938b5a4d9966fa56ba62082b6bcc9deecbe62984d1ebfc7db34eaf9f17
AgentTesla
90389790309ed963a0908cec1a9a6866ae0c6e41c8103454f3a311bc93a21125
AgentTesla
9913754d30b7cf04988adc1cb3d04fd3822958908216bd48df128df2a653f8cf
AgentTesla
d9f4c10febc99ea723d7f3f13d92be6bd54fc18eab233e5b28c5bcff0f3c1e1e
AgentTesla
e3fc20c3720e3822c54c48f53cffb77b3a21769eb9c03c63fe7fb032d7181bfa
AgentTesla
ef233cee4b1ff1192e4213b68857105e0a091c9a84c9a8146821eb48cfebf666
AgentTesla
+ 11'074 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence ransomware spyware stealer trojan
Link:
https://tria.ge/reports/210205-7lkkydpskx/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
f7c9ff20f26fdd7bfca6ac06b0a341f82cf05e2734a051c80752bac46c820732
MD5 hash:
0e13e8ad53aea5511fee9c9bd3cab9ad
SHA1 hash:
b85c18fff9e61c6b35297c9d9e279687711982e1
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/e9e7cbb7-c4cb-4363-aaac-d2e8ec855a2d/
SH256 hash:
7589575fb645c334d9df0bd92ab413f6f99a585027394e711614d171738c1467
MD5 hash:
fd5742122a74550d2773675bcb57d496
SHA1 hash:
21614416ad9e20e7246c19a21c13bb65ba9f6fb1
Link:
https://www.unpac.me/results/e9e7cbb7-c4cb-4363-aaac-d2e8ec855a2d/
SH256 hash:
1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290
MD5 hash:
12db4a575e53027b750d4f3729f5a14e
SHA1 hash:
0692d788621c7661814646a74b67eda668770971
Link:
https://www.unpac.me/results/e9e7cbb7-c4cb-4363-aaac-d2e8ec855a2d/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1a90c85df972b45ce610304517be47a742b7cdba4f19f54c9a6b7244649c9290

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/948953/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/115892/

Comments