MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 268016b6a5ef2e4488d899815b0d2b24c95a99e4b4fed5c946a4e1d947f5c26d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	268016b6a5ef2e4488d899815b0d2b24c95a99e4b4fed5c946a4e1d947f5c26d
SHA3-384 hash:	916f9da408d655fb154fb888f30826aaddaaffb921242864e1e56d39c0a501c6bc5178af62e16934d42ca4821e7295f7
SHA1 hash:	e720d5a964432429a1ec2a8f669a4b39183fd2ff
MD5 hash:	d8d8f55b1084a0f7d585f2a79e4dc51c
humanhash:	chicken-bakerloo-red-sink
File name:	BL Draft.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	755'712 bytes
First seen:	2020-07-29 07:54:01 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	e8ef47e85c79ee608837cc415c05c43b (15 x AgentTesla, 5 x NanoCore, 5 x Loki)
ssdeep	12288:TRXtpnVH9Az44BnvOCDhzcl0UdKndi2bnXHIYhmNIAxp9Nx0KTg2+a3OJYj:Tfd8z4byilBdlGXD0V/9NxaI
Threatray	11'530 similar samples on MalwareBazaar
TLSH	9BF4AF62B2E14932D1A72E789C1F5764AF3ABE003E3459462FFC1C4C9F397913866297
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: webmail.cyber.net.pk
Sending IP: 203.101.175.37
From: hameedentr@cyber.net.pk
Subject: Re: **TOP URGENT** Shipping Documents
Attachment: BL Draft.gz (contains "BL Draft.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/34622/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.Trojan.PWS.Stealer.19347.10936.15784.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/402055

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/268016b6a5ef2e4488d899815b0d2b24c95a99e4b4fed5c946a4e1d947f5c26d/

Threat name:

Win32.Trojan.DataStealer

Status:

Malicious

First seen:

2020-07-29 01:00:00 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2abnnvf54xejcgytgavwdjletevvgpewt7nlskgutq5sr7vyjwq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

060163be3a5a8a3c01b812b493cf37c88542825b6155c5dcd1469f8ea6533791

AgentTesla

08f2065fd2507d913812ff9c8a09664dbd7004a98ddaeae4e929fad631e0e9f9

AgentTesla

2370632e89b7760a6fb52b85bc77178c4511e62804a2b2d34c24e4a1303a9a25

AgentTesla

4936f703c3766d5968297c3e682fc5be8a3af59fa6557502b5e29af7a4f8c925

AgentTesla

870fe6b4452b111da70a75632e46487b3ddfb7a247fc8a4ec6a727089cef49c2

AgentTesla

9da1eccf37d5a51c11df17bb39a88e9fdb2118979614ae5951d71b3dc33c62cb

AgentTesla

a1adc016843b4ca4e6b792883fb3d25072275d1213eec5c16a9940653b9a7508

AgentTesla

e0e9dc6044a68060a3eac5b522383c51d65e1720ff209aec58ad55dd49213f59

AgentTesla

ec44baa08d0e4edf9673749f16f87a1fe21d981bf08715e20a579a478316f4e1

AgentTesla

+ 11'520 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200729-s2mzpjvvr2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/268016b6a5ef2e4488d899815b0d2b24c95a99e4b4fed5c946a4e1d947f5c26d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar