MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 249b1438e43913a18e085ec6b3ff767c3091cc55177c7730cfe62ab5bf168309. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA 3 File information Comments

SHA256 hash:	249b1438e43913a18e085ec6b3ff767c3091cc55177c7730cfe62ab5bf168309
SHA3-384 hash:	c15b0c4fbc86a3a382f3bde62a2018bfdf8c4d0ea6796d3738c9620b02c08005d8626f7f59441690e566b222c48fb53b
SHA1 hash:	50af65f9fa1cf41674ab22a3d3a6453d695e8202
MD5 hash:	655b5c2b57d4e42aeb2fcea62fa5b9e2
humanhash:	yankee-hamper-berlin-muppet
File name:	payment_swift_039403_po0232.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'055'744 bytes
First seen:	2020-09-02 06:18:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	24576:Nw+2n3OHUWGuJPKj8i+siU8u8+XDnvzTcVmvUFQcyS:Nw+2eHUWGu7slm+TvzTcsvD
Threatray	31 similar samples on MalwareBazaar
TLSH	9025ADAC720076DEF527FE76C8120D1CA6D06C66D32BD64BD4D331989A3E692DE121F2
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: uaeenterprisesgroup.ae
Sending IP: 156.96.118.47
From: Nirmalan <nirmalan@uaeenterprisesgroup.ae>
Subject: Payment confirmation- Rfq:002732.
Attachment: payment_swift_039403_po0232.r01 (contains "payment_swift_039403_po0232.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com.tr:587

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Result

Verdict:

Clean

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

MassLogger RAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/457187

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code references suspicious native API functions

Initial sample is a PE file and has a suspicious name

Malicious sample detected (through community Yara rule)

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to steal Mail credentials (via file access)

Yara detected AntiVM_3

Yara detected Costura Assembly Loader

Yara detected MassLogger RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/249b1438e43913a18e085ec6b3ff767c3091cc55177c7730cfe62ab5bf168309/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-09-02 05:48:38 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=esnriohehej2ddqil3dlh73wpqyjdtcvc56homgp4yvllpywqmeq._file

Verdict:

unknown

AgentTesla

72ceeee6538d869e032d33c4cac0b1e51f34b9e32bf1e17f475b5609ddfe0bf8

AgentTesla

7f65935cd55b5a0978bf0a70690462a08d83657a97ddbe6aba871a5496d5f9c5

AgentTesla

ab7cc003aa4d6807236dcd8983804a44a460a462c0e6d4ef70b3030f8ab6b366

AgentTesla

bd99f6b970cc52ee725dd1b734a440243655a3fbc1e2304a665b29d41477c25b

AgentTesla

d8cea078199dbdef51ec7189cf03541bbcbd10c49a133b187348e2a24fe1e2eb

AgentTesla

dc0087097e433036c00aaf8751d4cd9dc3e309fdba09c2ee1415a4060aa1cced

AgentTesla

e2df2b406150713616dbcbdbba76f1939e2605c3b30c6ae62e05832eb874e0e0

AgentTesla

ed42640da83dda3bf2ed08c414bfd256a82c9a8ef1894a59e3c421b254c59d4d

AgentTesla

f23b9e7560ded009508ff2a4dd75507d7bf087ad69c47fc5320af052d95fa814

AgentTesla

+ 21 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/200902-42aby7xb5s/

Behaviour

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: AddClipboardFormatListener

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Drops file in Windows directory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.71

Link:

https://yomi.yoroi.company/submissions/249b1438e43913a18e085ec6b3ff767c3091cc55177c7730cfe62ab5bf168309

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	masslogger_gcch Create hunting rule
Author:	govcert_ch

Rule name:	Quasar_RAT_1 Create hunting rule
Author:	Florian Roth
Description:	Detects Quasar RAT
Reference:	https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf