MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd
SHA3-384 hash: 4da2145c935e37ed57d0f3a996ac2ba4b1ab408d0af442ec303490923a12982af8e36a5f86d6f8be97742538d885bd30
SHA1 hash: d9627029ce67dd8f8566efcdc3199e3f6b5ae2b7
MD5 hash: fc0ac96b4d0826d27363c4ee1f52bbac
humanhash: magnesium-three-eleven-snake
File name:DUBAI UAE HCU234ED.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:948'736 bytes
First seen:2021-02-14 16:23:59 UTC
Last seen:2021-02-14 18:17:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:gAO6ZPvq1igKj7QAFGfrPizk/vQLkCuthjCTmiN6xuaLKKcVOcfVJ2+Dsiy:SiPuOQAFIDCk3ykCuthjiN6fL2Dfn8
Threatray 2'830 similar samples on MalwareBazaar
TLSH 0215BE26D6445B44EC3D573BC4A64C2093FABD37AA32C02E6DDC34E95AB3BDA5131A07
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: menara.ma
Sending IP: 37.49.225.161
From: Mohammed Arif <coelma@menara.ma>
Subject: REQUEST FOR QUOTATION AL JABER DUBAI REF:3214ED21 Please send your best possible rates
Attachment: DUBAI UAE HCU234ED.Gz (contains "DUBAI UAE HCU234ED.exe")

AgentTesla SMTP exfil server:
webmail.pancare.lk:587

AgentTesla SMTP exfil email address:
sales@pancare.lk

Intelligence

File Origin
# of uploads :
2
# of downloads :
184
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DUBAI UAE HCU234ED.exe
Verdict:
Malicious activity
Analysis date:
2021-02-14 16:25:27 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/047f8805-8499-4bf3-84cb-b97e9e281a11

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117081/
Detection(s):
SecuriteInfo.com.ArtemisFC0AC96B4D08.20294.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607593
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 352825 Sample: DUBAI UAE HCU234ED.exe Startdate: 14/02/2021 Architecture: WINDOWS Score: 100 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Yara detected AgentTesla 2->47 49 8 other signatures 2->49 6 DUBAI UAE HCU234ED.exe 3 2->6         started        9 TmwkQvc.exe 2 2->9         started        11 TmwkQvc.exe 3 2->11         started        process3 file4 23 C:\Users\user\...\DUBAI UAE HCU234ED.exe.log, ASCII 6->23 dropped 14 DUBAI UAE HCU234ED.exe 2 5 6->14         started        19 TmwkQvc.exe 2 9->19         started        51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Machine Learning detection for dropped file 11->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->55 21 TmwkQvc.exe 2 11->21         started        signatures5 process6 dnsIp7 29 webmail.pancare.lk 64.37.52.32, 49771, 49772, 587 DIMENOCUS United States 14->29 25 C:\Users\user\AppData\Roaming\...\TmwkQvc.exe, PE32 14->25 dropped 27 C:\Users\user\...\TmwkQvc.exe:Zone.Identifier, ASCII 14->27 dropped 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->31 33 Tries to steal Mail credentials (via file access) 14->33 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 37 Tries to harvest and steal ftp login credentials 19->37 39 Tries to harvest and steal browser information (history, passwords, etc) 19->39 41 Installs a global keyboard hook 19->41 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd/
Threat name:
Win32.Backdoor.NanoBot
Create hunting rule
Status:
Malicious
First seen:
2021-02-14 16:24:08 UTC
AV detection:
9 of 47 (19.15%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=edj47wzr57vfgqx3y67mt4hdyu2c5igtodu74m5e7u2qn4qsttoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99
AgentTesla
2e806e0101522c188033d18c53d9d8a3a769257c38898b2446a8b6b9b5a90ee8
AgentTesla
7d69ecaf108320a941b846030a0438843d5cc4ea8067807b7db4b783c1fffa60
AgentTesla
84040132d504dbc295119c29d7a8262392bf09caca8ede8236a26e2cab0ace6e
AgentTesla
8bb298fcc8ae3cfbf4e3be43c3a1b8a2cbee1981215df099bf3ec28846070b7d
AgentTesla
abd3a1a0ccfcc5e723e8b022e2dc025c617b94da33136673be439819a5160d6e
AgentTesla
bd89f6e2794f0c383ca15b99c53a28d6b527be58ec713efcafff4f0db21959f9
AgentTesla
caab2d0e7e9937e45bdd6d177c06691d0bfe812c2175acd4df0c7232955a3561
AgentTesla
deb5aeda39ad04b441ddbca22caa3a35e572483cc56e6a095b951342e716d6f6
AgentTesla
dfcc5df6ea28e158b19b5168275bd140720d5cd73e3df9dab5ecb513255d21f0
AgentTesla
+ 2'820 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  6/10
Tags:
persistence
Link:
https://tria.ge/reports/210214-33nhz4cfke/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/cf9247f6-0c3b-44fd-9a44-3ac9298fd7a8/
SH256 hash:
20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd
MD5 hash:
fc0ac96b4d0826d27363c4ee1f52bbac
SHA1 hash:
d9627029ce67dd8f8566efcdc3199e3f6b5ae2b7
Link:
https://www.unpac.me/results/cf9247f6-0c3b-44fd-9a44-3ac9298fd7a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz e6ebddedfc496d990d6fae092acd0b86dfe57405c59ad8ac1c9a66213d7e340f

AgentTesla

Executable exe 20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd

(this sample)

  
Dropped by
MD5 96434a8187f2db3bdd136acbb2e4f063
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/117081/
  
Dropped by
SHA256 e6ebddedfc496d990d6fae092acd0b86dfe57405c59ad8ac1c9a66213d7e340f

Comments