MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734
SHA3-384 hash: d4c682d92f624e68d5d2f10cd935b67b46fa22e01c0331c84a5abbdca85dbd30da9ec6a9f4ba80750fb86295716682fe
SHA1 hash: d7023efe71d42c5b0fd0a9e5e3a025c936164c69
MD5 hash: d8716cf322f7676972cc1bddfa56c7bf
humanhash: leopard-eight-saturn-purple
File name:chusss.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:386'048 bytes
First seen:2020-07-28 13:47:56 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:S5i7e7K7VdpwIfzZBBpFdt11Nt51dwJN5xZxRnNtFphRht11xJtJ57ZpxVVdppJ0:87KPXzZBBpFdt11Nt51dwJN5xZxRnNtt
Threatray 10'697 similar samples on MalwareBazaar
TLSH 6D84CF8A1A65EA91D28D45BF08A818F3376C90C77F2363475794FF7CB0C728056D6E2A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mail.DSPROMEDIA.COM
Sending IP: 91.151.85.120
From: Daniele@culimat.eu
Subject: Purschase Order
Attachment: PO.zip (contains "chusss.exe")

AgentTesla SMTP exfil server:
mail.fidesglobal.com.tr:587

AgentTesla SMTP exfil email address:
serpil@fidesglobal.com.tr

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33730/
Detection(s):
SecuriteInfo.com.Fareit-FVKD8716CF322F7.1653.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/400454
Signature
Antivirus / Scanner detection for submitted sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252577 Sample: chusss.exe Startdate: 28/07/2020 Architecture: WINDOWS Score: 80 63 Antivirus / Scanner detection for submitted sample 2->63 65 Multi AV Scanner detection for submitted file 2->65 67 Yara detected AgentTesla 2->67 69 Machine Learning detection for sample 2->69 13 chusss.exe 1 2->13         started        16 wuapihost.exe 2->16         started        process3 signatures4 85 Maps a DLL or memory area into another process 13->85 18 chusss.exe 13->18         started        21 RegAsm.exe 2 13->21         started        process5 signatures6 71 Maps a DLL or memory area into another process 18->71 23 chusss.exe 18->23         started        26 RegAsm.exe 2 18->26         started        28 RegAsm.exe 18->28         started        73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 21->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->75 process7 signatures8 81 Maps a DLL or memory area into another process 23->81 30 chusss.exe 1 23->30         started        33 RegAsm.exe 2 23->33         started        process9 signatures10 89 Maps a DLL or memory area into another process 30->89 35 chusss.exe 30->35         started        38 RegAsm.exe 2 30->38         started        process11 signatures12 77 Maps a DLL or memory area into another process 35->77 40 chusss.exe 35->40         started        43 RegAsm.exe 35->43         started        process13 signatures14 83 Maps a DLL or memory area into another process 40->83 45 chusss.exe 40->45         started        48 RegAsm.exe 40->48         started        50 RegAsm.exe 40->50         started        process15 signatures16 87 Maps a DLL or memory area into another process 45->87 52 chusss.exe 45->52         started        55 RegAsm.exe 45->55         started        57 RegAsm.exe 45->57         started        process17 signatures18 79 Maps a DLL or memory area into another process 52->79 59 RegAsm.exe 52->59         started        61 RegAsm.exe 52->61         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734/
Threat name:
ByteCode-MSIL.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 13:48:12 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ekq7uasewe64xtt7k67usdg57jzjivymgu4z73qvjmh6qic6i42a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0b33dac5aa5963fc19e2db868690d76e0655d2bc6f1801eca5e1f26d903c16b0
AgentTesla
1beeee8be1d1210689501aea9ee2ff97fba886b65ecb5fc92a9ef0f732021428
AgentTesla
2840cc36c04714a605a7df8b64bee3a738fa7bf6caee439e0d4eb0cbb7e7b7eb
AgentTesla
6aa018beeb336fbf2405ae4325c486065b424653c4a5183aec7d9e116e1ebbc4
AgentTesla
7e1e492f4f7ef7b70a4a0084dcb1be4e13fda74af33dfdaa8b006cf204522627
AgentTesla
b8c96d064670dea1cf13d2e29a924a80468aa43f1a7c8f5b1ca391b15c2ac7e2
AgentTesla
d4f0ec801c62358eddef6f921ac704593bccd1847f34e6f0272db9f40f74adb0
AgentTesla
d85fd5138d13af3d313c3b2b9b3d5379b2d1a38e602ceb191c02d347d1bc3855
AgentTesla
e713a9bac94efc2de71fbcdca91c221b8f895aa48a216ec8a656a879e5a8bd83
AgentTesla
ee179cf179ec5743bd32e4df32cc7f4dbf912c962a558eaa37f65b0a6b7f10f2
AgentTesla
+ 10'687 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/200728-6g2n794kln/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Suspicious use of SetThreadContext
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2d70e1c54a79ae66047189abedf0042ea47df27ad1b91bc50445bf8b43be22fb

AgentTesla

Executable exe 22a1fa0244b13dcbce7f57bf490cddfa7294570c35399fee154b0fe8205e4734

(this sample)

  
Dropped by
MD5 125faeb6d243c8e9033523f2ca3c16ab
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/33730/
  
Dropped by
SHA256 2d70e1c54a79ae66047189abedf0042ea47df27ad1b91bc50445bf8b43be22fb

Comments