MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 263bb9ed145f4847b527e4c0a1ad93fa24ad2fd0859a11825fe9d3cc97d5367b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	263bb9ed145f4847b527e4c0a1ad93fa24ad2fd0859a11825fe9d3cc97d5367b
SHA3-384 hash:	d4b97aa7d473c4385ff45a21cf941ed963b102eadbe1b6739b4a5a9b54688fb9c49f75a60e3c4b2a507aa898bd75a8f6
SHA1 hash:	393c6804da7cf48995b3c74e06cb31b9b948d16f
MD5 hash:	7c4af8af74f255a19506d1b66b6e64e2
humanhash:	august-stairway-wyoming-oranges
File name:	كشف حساب مستحق الدفع1.bat
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	552'448 bytes
First seen:	2020-08-27 05:38:03 UTC
Last seen:	2020-08-27 07:19:16 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:JPW+Gu2xDA/UG7T6II5LvCms350Oq4zYme20wcmpH:XGbxDSUGnnI5GmsGOqIy25H
Threatray	10'635 similar samples on MalwareBazaar
TLSH	82C41224137ECF12E5FF0BBAA4EE310043E5B45665A5E3CD9E55D08A2CE6BD08D12B93
Reporter	abuse_ch
Tags:	AgentTesla ARE bat geo

abuse_ch

Malspam distributing AgentTesla:

HELO: fnadh-37.srv.cat
Sending IP: 46.16.62.196
From: Rajeswary M.R. <raji@pr-uae.com>
Reply-To: raji@pr-uae.com
Subject: كشف حساب مستحق الدفع.
Attachment: كشف حساب مستحق الدفع1.7z (contains "كشف حساب مستحق الدفع1.bat")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/51586/

Detection(s):

SecuriteInfo.com.Fareit-FYV7C4AF8AF74F2.15349.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/452251

Signature

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/263bb9ed145f4847b527e4c0a1ad93fa24ad2fd0859a11825fe9d3cc97d5367b/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-08-27 05:39:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ey53t3iul5eepnjh4takdlmt7isk2l6qqwnbdas75hj4zf6vgz5q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

25bd8be2689477443c6a6b89c3195bd81b733853aa4502cfd14a6e25afc3798e

AgentTesla

47a8274c13d1205f8651a7b2df233e51e59b369ce8250cc755ff61d422afa561

AgentTesla

4c0ba445450f16973c204aaab8265d888df2d38f822fbfcdf15249fbc3863356

AgentTesla

5623d57806cdca9774c3a13899e361f66948b648303e491bb79072faa715930c

AgentTesla

82c21c0385cf81bd1bebb5be82fb080207e1189729202980c408151692637a02

AgentTesla

996ede8d9cb8561481707de2768ca29bf7294c66ac1de666cb390417eb2d9d60

AgentTesla

a4aa4637f92e6d1f0faea8c071cd561b154e3539a169976ebede90acf6760b99

AgentTesla

be2bc33b9acb5b939bc7cba84521cda274380a09b4acbe6e9696b8183352b5e8

AgentTesla

fe3f9f59dc784955366a2f7c9ff189b39710704b890b2e3aae3ffd0fbdac7539

AgentTesla

+ 10'625 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200827-sbwzqnfv8a/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.45

Link:

https://yomi.yoroi.company/submissions/263bb9ed145f4847b527e4c0a1ad93fa24ad2fd0859a11825fe9d3cc97d5367b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar