MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1eb61b56f976e2b47aa77a2e84c86dd7050369f99b54f767ae9d5448c53c6294. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1eb61b56f976e2b47aa77a2e84c86dd7050369f99b54f767ae9d5448c53c6294
SHA3-384 hash: 027c37e366d6a73e91f74fcaa3d7d3ec3577e1d431d7680519a5ac281d72caafe51091bc5a03a2d44a5ac3338e433abe
SHA1 hash: 73172d5d76f1e77b71ae8afef801b1f3169f7347
MD5 hash: 638de7bf9a1bcba7a51ae3474387bc3b
humanhash: eighteen-magazine-sixteen-cardinal
File name:Transfer Form 2109202000018_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:578'048 bytes
First seen:2020-09-21 16:02:19 UTC
Last seen:2020-09-21 16:38:20 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:4ytQ++rib/zLY5CoF+kxl4LvOCy5GJpdb:2RrirC/Pb4L2N2p
Threatray 121 similar samples on MalwareBazaar
TLSH E8C49C1031A53B4AE5A89BB80354B4B2C3A52C567B22D3A87F8731FE65F17D07D25B0B
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/64015/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.43868389.18773.5987.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/471474
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 288171 Sample: Transfer Form 2109202000018... Startdate: 21/09/2020 Architecture: WINDOWS Score: 100 57 smtp.nhbisun.net 2->57 59 us2.smtp.mailhostbox.com 2->59 71 Found malware configuration 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 Sigma detected: Scheduled temp file as task from temp location 2->75 77 11 other signatures 2->77 8 Transfer Form 2109202000018_pdf.exe 4 2->8         started        11 mikapp.exe 3 2->11         started        14 mikapp.exe 2 2->14         started        signatures3 process4 file5 47 C:\Users\user\AppData\Roaming\YzILEUU.exe, PE32 8->47 dropped 49 C:\Users\user\AppData\Local\...\tmp8190.tmp, XML 8->49 dropped 51 Transfer Form 2109202000018_pdf.exe.log, ASCII 8->51 dropped 16 Transfer Form 2109202000018_pdf.exe 2 5 8->16         started        21 schtasks.exe 1 8->21         started        23 Transfer Form 2109202000018_pdf.exe 8->23         started        79 Multi AV Scanner detection for dropped file 11->79 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->81 83 Machine Learning detection for dropped file 11->83 87 3 other signatures 11->87 25 mikapp.exe 2 11->25         started        27 schtasks.exe 1 11->27         started        29 mikapp.exe 11->29         started        31 mikapp.exe 11->31         started        85 Injects a PE file into a foreign processes 14->85 33 mikapp.exe 14->33         started        35 schtasks.exe 14->35         started        signatures6 process7 dnsIp8 53 smtp.nhbisun.net 16->53 55 us2.smtp.mailhostbox.com 208.91.199.223, 49753, 49755, 587 PUBLIC-DOMAIN-REGISTRYUS United States 16->55 43 C:\Users\user\AppData\Roaming\...\mikapp.exe, PE32 16->43 dropped 45 C:\Users\user\...\mikapp.exe:Zone.Identifier, ASCII 16->45 dropped 61 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->61 63 Moves itself to temp directory 16->63 65 Tries to steal Mail credentials (via file access) 16->65 69 3 other signatures 16->69 37 conhost.exe 21->37         started        67 Installs a global keyboard hook 25->67 39 conhost.exe 27->39         started        41 conhost.exe 35->41         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1eb61b56f976e2b47aa77a2e84c86dd7050369f99b54f767ae9d5448c53c6294/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-21 00:37:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
18
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=d23bwvxzo3rli6vhpixijsdn24cqg2pztnkpoz5otvkerrj4mkka._file
Verdict:
suspicious
Similar samples:
125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1
AgentTesla
2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7
AgentTesla
4ae1deecb4b64f1e1b13b215c6b426cd887f1f5b072fb153916373766191d5df
AgentTesla
614052880e43375009bd02fcb10e8399d2e855cff58fc27ad94711dee1973186
AgentTesla
7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873
AgentTesla
93d22d39577ab983c75badd9019b57420a4e2bfc300d6a37d90885d823396058
AgentTesla
a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd
AgentTesla
c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd
AgentTesla
eb8ac6c18675770e603ff7b7c3076cab5bafda10a3634d50d575185d04506708
AgentTesla
fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f
AgentTesla
+ 111 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/200921-69w72gmk5e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Adds Run key to start application
Adds Run key to start application
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1eb61b56f976e2b47aa77a2e84c86dd7050369f99b54f767ae9d5448c53c6294

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/64015/

Comments