MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 237b1286cffac0882ec074c40dad1325cd0b25c8c548c7cc76566d2eed4b99a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA 3 File information Comments

SHA256 hash:	237b1286cffac0882ec074c40dad1325cd0b25c8c548c7cc76566d2eed4b99a4
SHA3-384 hash:	1e6c42bde559c8687dabd771cbb58f33796946f208914fcf5f10e8fccdf151ce8c08b9befee74aec5b4aaf072eebab76
SHA1 hash:	821737228db8013d37d1c7de9271b4f3409a05aa
MD5 hash:	5d2b0c84709755f049fd78a7d2d1c4b5
humanhash:	pluto-six-pasta-wisconsin
File name:	5d2b0c84709755f049fd78a7d2d1c4b5.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	503'296 bytes
First seen:	2021-03-01 19:08:21 UTC
Last seen:	2021-03-01 20:36:41 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'609 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:aIJFmzwJolpFWgFUCBhR81QMjEmybi6LKey6eP:TgFUCBhujEmdtP
Threatray	2'921 similar samples on MalwareBazaar
TLSH	C1B4173425AE10AEE43BBE7207C4955CC6856E22721B6B5FE48239D3C5F2E43CBC1DA5
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

144

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Precio De Referencia - Mexico Mine Supply.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-01 17:14:33 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/51041cfc-e06c-413e-b0ef-8f28e96d9882

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/120385/

Detection(s):

SecuriteInfo.com.FileRepMalware.23924.32238.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/622763

Signature

.NET source code contains very large strings

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/237b1286cffac0882ec074c40dad1325cd0b25c8c548c7cc76566d2eed4b99a4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-01 17:26:23 UTC

AV detection:

16 of 29 (55.17%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=en5rfbwp7laiqlwaotca3litexgqwjoiyvemptdwkzws53kltgsa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1339a751e36cce726e3d808cfad7cd81c7f0712103a9c26a65acaf8c573f97b5

AgentTesla

15b7e016d58fd18d0f7eb8f578ba217b9aaac7367c0eddd7a545f9d98d49e288

AgentTesla

19c9fa542614e9ef3326b05f129328c3e306245cdebe51e233c5e20837321321

AgentTesla

79b276630a955b4f8940424fc1e85a1020cdc2d777c2760e8d696a932bb06f47

AgentTesla

8ccb27d2627b5288f5eadd11fd64cc8a849bf587bac68d5a6699361c9f0684a5

AgentTesla

b5711cb62942fa81a74147f16f16231c6033155f48e60f1d9b8d71cac4445706

AgentTesla

bd021089d05bee433a76c55dd186d23261a7232e55ea540c9fd63f4403071a66

AgentTesla

d6a5d01edf06c2812aec143d767d5ed3a18ca7386a7470f9e7c8d08e49b0c366

AgentTesla

f4ca4b6592ae781af7585c76f6a922e5c88340df7164f07fdb3a6aa85dbfaeb5

AgentTesla

+ 2'911 additional samples on MalwareBazaar

Result

Malware family:

trickbot

Score:

10/10

Tags:

family:agenttesla family:trickbot botnet:tot50 banker keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210301-j5cxqqmetx/

Behaviour

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Drops file in System32 directory

Suspicious use of SetThreadContext

Adds Run key to start application

Looks up external IP address via web service

Drops startup file

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Trickbot

Malware Config

C2 Extraction:

154.79.252.132:449
179.191.108.58:449
200.6.169.124:443
103.76.20.226:443
80.78.77.116:449
80.78.75.246:443
45.234.248.66:449
187.190.116.59:443
185.234.72.84:443
36.94.202.131:443
103.91.244.102:449
168.232.188.88:449
103.73.101.98:449
173.81.4.147:449
202.142.151.190:449
118.67.216.238:449
108.170.20.72:443
85.159.214.61:443
36.92.93.5:449
79.122.166.236:449
201.184.190.59:449
111.235.66.83:443
187.19.200.154:449
186.195.199.238:449
103.84.164.87:443
117.212.193.62:449
190.152.71.230:443
37.235.230.123:449
103.119.117.42:443
177.47.88.62:443
103.146.2.152:449
102.164.211.138:449
182.48.66.106:443
178.54.230.164:443
221.176.88.201:449
167.179.194.205:443
179.60.243.52:443

Unpacked files

SH256 hash:

f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027

MD5 hash:

d66f89bf838fb52ed59d311a99aea214

SHA1 hash:

342525c4aabbb92abf51459081d34ed0f1cdc965

Link:

https://www.unpac.me/results/bfb4648d-d620-4ac7-a712-798f999a95e9/

SH256 hash:

f774216df610f9d30e83fcb0888ada1ee3ebb1c75f9c832f557185c298e80aa3

MD5 hash:

024b5a081ac4345d48e91e801914b553

SHA1 hash:

b966df99d8c31d389d2edad116eb38630f48a8b9

Link:

https://www.unpac.me/results/bfb4648d-d620-4ac7-a712-798f999a95e9/

SH256 hash:

d4a7b583d1a7266438f2e3a421d24aec12c996c8d89cfde0fbeccc5b6e150d1b

MD5 hash:

2e0c19d018e0fe3e2100aae1343a6a4c

SHA1 hash:

e8d6edaff8672b0a3a7b4e0b7395d0b612032c4b

Link:

https://www.unpac.me/results/bfb4648d-d620-4ac7-a712-798f999a95e9/

SH256 hash:

237b1286cffac0882ec074c40dad1325cd0b25c8c548c7cc76566d2eed4b99a4

MD5 hash:

5d2b0c84709755f049fd78a7d2d1c4b5

SHA1 hash:

821737228db8013d37d1c7de9271b4f3409a05aa

Link:

https://www.unpac.me/results/bfb4648d-d620-4ac7-a712-798f999a95e9/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/237b1286cffac0882ec074c40dad1325cd0b25c8c548c7cc76566d2eed4b99a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/120385/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample