MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d203be4dc4e2e312fbb0e6e7521f63bc62ed20fff24bb8ebe5887f8c7ba31e5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d203be4dc4e2e312fbb0e6e7521f63bc62ed20fff24bb8ebe5887f8c7ba31e5
SHA3-384 hash: a48d7e1752d1f5e4c4c15a44a9b917cb71fceb7dc0b66fb7a0a7a50abb376de1e3a2920dd4d7045f2885379733b9222b
SHA1 hash: b285a63bdb4e444ab7264b5d612edec576f5d400
MD5 hash: f44445dc40c5703a62fa963858f449a9
humanhash: kansas-july-tennessee-december
File name:f44445dc40c5703a62fa963858f449a9.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:730'240 bytes
First seen:2021-05-10 13:03:47 UTC
Last seen:2021-05-10 14:03:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 6b3ae8f7a807e67f6fac520b10e5dbe8 (6 x RemcosRAT, 2 x Formbook, 2 x AgentTesla)
ssdeep 12288:crnWDrl98a7LUacm7sbiD97T5QM4Pr4rzU/Oy/x:crWnZnUivR71B48rzUD/
Threatray 113 similar samples on MalwareBazaar
TLSH D4F48C21B2D04473D17E1E389F5BB2F4582DBF5029E4247A6BF4BD489F396813C2929E
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
RedLine
Create hunting rule
Link:
https://www.capesandbox.com/analysis/154084/
Detection(s):
PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader38.59180.24719.24788.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a UDP request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Unauthorized injection to a recently created process
Running batch commands
Creating a process with a hidden window
Launching cmd.exe command interpreter
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/777438
Signature
Adds a directory exclusion to Windows Defender
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
DLL side loading technique detected
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files to the user root directory
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Execution from Suspicious Folder
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Suspicious powershell command line found
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 409840 Sample: aFMnf1WQEQ.exe Startdate: 10/05/2021 Architecture: WINDOWS Score: 100 61 tractorandinas.com 2->61 63 ftp.tractorandinas.com 2->63 65 clientconfig.passport.net 2->65 81 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->81 83 Found malware configuration 2->83 85 Multi AV Scanner detection for dropped file 2->85 87 4 other signatures 2->87 12 aFMnf1WQEQ.exe 1 25 2->12         started        17 Vaijia.exe 16 2->17         started        19 Vaijia.exe 16 2->19         started        signatures3 process4 dnsIp5 67 onedrive.live.com 12->67 69 dxx05q.am.files.1drv.com 12->69 71 dm-files.fe.1drv.com 12->71 51 C:\Users\Public\Vaijia\Vaijia.exe, PE32 12->51 dropped 53 C:\Users\Public53etplwiz.exe, PE32+ 12->53 dropped 55 C:\Users\Public55ETUTILS.dll, PE32+ 12->55 dropped 97 Detected unpacking (changes PE section rights) 12->97 99 Detected unpacking (overwrites its own PE header) 12->99 101 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->101 109 2 other signatures 12->109 21 cmd.exe 1 12->21         started        23 aFMnf1WQEQ.exe 2 12->23         started        73 onedrive.live.com 17->73 77 2 other IPs or domains 17->77 103 Multi AV Scanner detection for dropped file 17->103 105 Machine Learning detection for dropped file 17->105 107 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 17->107 26 Vaijia.exe 17->26         started        75 onedrive.live.com 19->75 79 2 other IPs or domains 19->79 file6 signatures7 process8 file9 29 cmd.exe 5 21->29         started        33 conhost.exe 21->33         started        89 Modifies the hosts file 23->89 49 C:\Windows\System32\drivers\etc\hosts, ASCII 26->49 dropped signatures10 process11 file12 57 C:\Windows \System3257etplwiz.exe, PE32+ 29->57 dropped 59 C:\Windows \System3259ETUTILS.dll, PE32+ 29->59 dropped 111 Drops executables to the windows directory (C:\Windows) and starts them 29->111 35 Netplwiz.exe 29->35         started        37 conhost.exe 29->37         started        signatures13 process14 process15 39 cmd.exe 1 35->39         started        signatures16 91 Suspicious powershell command line found 39->91 93 Adds a directory exclusion to Windows Defender 39->93 42 powershell.exe 25 39->42         started        45 conhost.exe 39->45         started        process17 signatures18 95 DLL side loading technique detected 42->95 47 conhost.exe 42->47         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1d203be4dc4e2e312fbb0e6e7521f63bc62ed20fff24bb8ebe5887f8c7ba31e5/
Threat name:
Win32.Backdoor.NetWiredRc
Create hunting rule
Status:
Malicious
First seen:
2021-05-10 13:04:23 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=duqdxzg4jyxdcl53bzxhkipwhpdc5uqp74slxdv6lcd7rr52ghsq._file
Verdict:
malicious
Similar samples:
1c409fee36dda5337ef340dd480d92fbf68da68bee2a28f267def6bbb63755f6
AgentTesla
29369c122e942e2ca2747a55895c0d0439acfc372f5b698b250bb6af7fc90914
AgentTesla
3418e1333e9001927ecc9000abf19f6dfd97a2a48399c9769182a132df8b39dc
AgentTesla
34ae6e94fd8ce101fadff4baf68d7c0b8bf606d1796b7c8199e7d45a9bc57a02
AgentTesla
40dc655d06780c3f628f6ec2c3848d797c8ba88dcc50e3397e4e464ec12aaade
AgentTesla
44130b6c18abaaea8d59ba7ef447b231e2bde5ae9fd572104ca51136e5e35150
AgentTesla
995f29caf80a4902430611c45e0619adbcd60e3a9f283a562fce6bd7baebc075
AgentTesla
aace20e28e61cb328da74ff938231b1ce9a07498d477efe3efc5c5d3d04b9dc1
AgentTesla
ba743ef93625025018dfc47978452d19503cee81e2adc2cd71ac0a173b3e2513
AgentTesla
c3ce62a44812edeca97182d5f26639b222ebe684021e7a7b922a499bd32d7f95
AgentTesla
+ 103 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210510-837shmqs7e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1d203be4dc4e2e312fbb0e6e7521f63bc62ed20fff24bb8ebe5887f8c7ba31e5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_DLAgent07
Create hunting rule
Author:ditekSHen
Description:Detects delf downloader agent
Rule name:MALWARE_Win_RedLine
Create hunting rule
Author:ditekshen
Description:Detects RedLine infostealer

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 1d203be4dc4e2e312fbb0e6e7521f63bc62ed20fff24bb8ebe5887f8c7ba31e5

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1215469/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/154084/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-10 14:18:28 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0001.025] Anti-Behavioral Analysis::Software Breakpoints
1) [B0001.032] Anti-Behavioral Analysis::Timing/Delay Check GetTickCount
2) [B0009.029] Anti-Behavioral Analysis::Instruction Testing
3) [F0002.002] Collection::Polling
5) [C0026.002] Data Micro-objective::XOR::Encode Data
7) [C0051] File System Micro-objective::Read File
8) [C0052] File System Micro-objective::Writes File
9) [C0007] Memory Micro-objective::Allocate Memory
10) [C0036.004] Operating System Micro-objective::Create Registry Key::Registry
11) [C0036.003] Operating System Micro-objective::Open Registry Key::Registry
12) [C0036.006] Operating System Micro-objective::Query Registry Value::Registry
13) [C0038] Process Micro-objective::Create Thread
14) [C0041] Process Micro-objective::Set Thread Local Storage Value
15) [C0018] Process Micro-objective::Terminate Process