MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20d8758cb383de0f9fc1f26418262ccf4ab9a3369f59897395ccbbdcf59c7c68. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 20d8758cb383de0f9fc1f26418262ccf4ab9a3369f59897395ccbbdcf59c7c68
SHA3-384 hash: 61598fd087eea300565bedd7a92ec6a98c48d450ea05fdc828061ad4d3bb62a7eba74d7f466fc9b6f31413dfcb191d47
SHA1 hash: 7c123f8110131407dbdb57dd05ffd7c7c190a886
MD5 hash: dc261691b772a83b1a47a393d5a8cc60
humanhash: timing-beryllium-harry-fifteen
File name:SecuriteInfo.com.Trojan.DownloaderNET.117.28260.4590
Download: download sample
Signature AgentTesla
Create hunting rule
File size:25'088 bytes
First seen:2021-02-15 23:56:02 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 768:SP6R6r3JkM8tvMZ1219p1CcTgMekfsNQl4i+Cw:hR6r5kM8tbucTgesi63
Threatray 2'639 similar samples on MalwareBazaar
TLSH C4B2B709B69C4B62E1657F36F5AB73230338A3A71E31CD06FE89D743A9110D29E05F5A
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SecuriteInfo.com.Trojan.DownloaderNET.117.28260.4590
Verdict:
Malicious activity
Analysis date:
2021-02-16 00:05:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/70042a38-750e-4623-b72a-6824a459fbaf

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/117261/
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.117.28260.4590.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending an HTTP GET request
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/608529
Signature
.NET source code contains very large array initializations
Contains functionality to hide a thread from the debugger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 353296 Sample: SecuriteInfo.com.Trojan.Dow... Startdate: 16/02/2021 Architecture: WINDOWS Score: 100 55 Multi AV Scanner detection for submitted file 2->55 57 Yara detected AgentTesla 2->57 59 .NET source code contains very large array initializations 2->59 7 SecuriteInfo.com.Trojan.DownloaderNET.117.28260.exe 15 3 2->7         started        11 Mymp4.exe 14 3 2->11         started        13 Mymp4.exe 3 2->13         started        15 WerFault.exe 2->15         started        process3 dnsIp4 53 185.239.242.107, 49720, 49733, 49745 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 7->53 69 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->69 71 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->71 73 Hides threads from debuggers 7->73 75 Contains functionality to hide a thread from the debugger 7->75 17 SecuriteInfo.com.Trojan.DownloaderNET.117.28260.exe 2 5 7->17         started        21 cmd.exe 1 7->21         started        23 WerFault.exe 23 11 7->23         started        77 Multi AV Scanner detection for dropped file 11->77 79 Injects a PE file into a foreign processes 11->79 25 cmd.exe 11->25         started        27 Mymp4.exe 11->27         started        29 Mymp4.exe 11->29         started        31 WerFault.exe 11->31         started        33 cmd.exe 13->33         started        35 SecuriteInfo.com.Trojan.DownloaderNET.117.28260.exe 15->35 injected signatures5 process6 file7 49 C:\Users\user\AppData\Roaming\...\Mymp4.exe, PE32 17->49 dropped 51 C:\Users\user\...\Mymp4.exe:Zone.Identifier, ASCII 17->51 dropped 61 Tries to steal Mail credentials (via file access) 17->61 63 Tries to harvest and steal ftp login credentials 17->63 65 Tries to harvest and steal browser information (history, passwords, etc) 17->65 67 2 other signatures 17->67 37 conhost.exe 21->37         started        39 timeout.exe 1 21->39         started        41 conhost.exe 25->41         started        43 timeout.exe 25->43         started        45 conhost.exe 33->45         started        47 timeout.exe 33->47         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/20d8758cb383de0f9fc1f26418262ccf4ab9a3369f59897395ccbbdcf59c7c68/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-09 08:58:38 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=edmhldftqppa7h6b6jsbqjrmz5fltizwt5mys44vzs55z5m4prua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01330ada2211171d1bb5db977363a94cea239c455ea8c2fabea401a29b1c8143
AgentTesla
20dbea65f9ea5d713ead877a8fdca2bb606af820520ea99fafcef39fc7652ce2
AgentTesla
2ff93944081c104e8175f5209255c50e92d65f8a3e35fbf01c5f6f46237575af
AgentTesla
431c9f8b4b58782d7f9ebeccb1b3a18357667fef8293571cf01aa72f98720df2
AgentTesla
6609cf9b0aefabaaf1bccc04237e6ff32315960166bf4aa2ff5372cfb51c80d3
AgentTesla
8a44fabd61b1b7695fed4db543418ec7ceb0a7641035641d449254a9c458affb
AgentTesla
a28923dedd3df222c1cec68d96cfe47e803d45956aa9e4b011856f135d4e105d
AgentTesla
b1f530942db69e2f7a2823abab2ecc03eaed957101e7e6a7b53af823765df3a7
AgentTesla
e3dbadc32e9e198eb9c03b3c8a29bb4569838eb7089ed761aea6a496eb8f8157
AgentTesla
e85e24ab0180d492c946ab60def07aff6d327969c52b91fcdff34057deea1404
AgentTesla
+ 2'629 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210215-ew7tx46lfj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
20d8758cb383de0f9fc1f26418262ccf4ab9a3369f59897395ccbbdcf59c7c68
MD5 hash:
dc261691b772a83b1a47a393d5a8cc60
SHA1 hash:
7c123f8110131407dbdb57dd05ffd7c7c190a886
Link:
https://www.unpac.me/results/9e24e5bc-46c6-4235-bb52-80e0bb8ca8c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/20d8758cb383de0f9fc1f26418262ccf4ab9a3369f59897395ccbbdcf59c7c68

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 20d8758cb383de0f9fc1f26418262ccf4ab9a3369f59897395ccbbdcf59c7c68

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/1011590/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117261/

Comments