MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 273354be097b6ed6022eac720e2a6ff987242d38ad320630d78f6b5f3969a706. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 273354be097b6ed6022eac720e2a6ff987242d38ad320630d78f6b5f3969a706
SHA3-384 hash: 247efa9e252d9e33d4a9e45b10e6df538eaa46ca473ae3dc4e2987ccb72d83b9e86e1a231688603f3ce4962753aeac40
SHA1 hash: f3fecc5126b740d05c02c456e5514e8959cb98c1
MD5 hash: d5b5a7e2a79deba736a51a4c98282b70
humanhash: don-equal-carbon-nitrogen
File name:URGENT ORDER SO 22-2020 WSO-20-03121.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:368'128 bytes
First seen:2020-08-03 07:07:50 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:y+zxVO3mkCcwJZZS0jcmizwaFC246JPsQgQfgEwIXTTWh2995:/NXkCcwvYtC2Sy7ndj5
Threatray 10'818 similar samples on MalwareBazaar
TLSH DD74C0A8C26EB518C5B653BF7573932EC2B8E3032A12C7EB039014453D75BEC56A15BE
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: w2k12mx04.dc1.ca.ihglobaldns.com
Sending IP: 192.175.105.170
From: Info <info@naftkav.com>
Reply-To: info@naftkav.com
Subject: URGENT ORDER SO 22-2020 WSO-20-03121
Attachment: URGENT ORDER SO 22-2020 WSO-20-03121.rar (contains "URGENT ORDER SO 22-2020 WSO-20-03121.exe")

AgentTesla SMTP exfil server:
mail.halaiholdings.com:587

AgentTesla SMTP exfil email address:
sales@halaiholdings.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37412/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/407335
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255898 Sample: URGENT ORDER SO 22-2020 WSO... Startdate: 03/08/2020 Architecture: WINDOWS Score: 88 77 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->77 79 Yara detected AgentTesla 2->79 81 Machine Learning detection for sample 2->81 83 Initial sample is a PE file and has a suspicious name 2->83 14 URGENT ORDER SO 22-2020 WSO-20-03121.exe 1 2->14         started        process3 signatures4 101 Maps a DLL or memory area into another process 14->101 17 URGENT ORDER SO 22-2020 WSO-20-03121.exe 14->17         started        20 RegAsm.exe 2 14->20         started        process5 signatures6 71 Maps a DLL or memory area into another process 17->71 22 URGENT ORDER SO 22-2020 WSO-20-03121.exe 17->22         started        25 RegAsm.exe 2 17->25         started        73 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->73 75 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->75 process7 signatures8 87 Maps a DLL or memory area into another process 22->87 27 URGENT ORDER SO 22-2020 WSO-20-03121.exe 22->27         started        30 RegAsm.exe 2 22->30         started        process9 signatures10 97 Maps a DLL or memory area into another process 27->97 32 URGENT ORDER SO 22-2020 WSO-20-03121.exe 27->32         started        35 RegAsm.exe 2 27->35         started        process11 signatures12 69 Maps a DLL or memory area into another process 32->69 37 URGENT ORDER SO 22-2020 WSO-20-03121.exe 32->37         started        41 RegAsm.exe 32->41         started        process13 dnsIp14 67 192.168.2.1 unknown unknown 37->67 89 Maps a DLL or memory area into another process 37->89 43 URGENT ORDER SO 22-2020 WSO-20-03121.exe 37->43         started        46 RegAsm.exe 37->46         started        48 RegAsm.exe 37->48         started        91 Tries to steal Mail credentials (via file access) 41->91 93 Tries to harvest and steal ftp login credentials 41->93 95 Tries to harvest and steal browser information (history, passwords, etc) 41->95 signatures15 process16 signatures17 99 Maps a DLL or memory area into another process 43->99 50 URGENT ORDER SO 22-2020 WSO-20-03121.exe 43->50         started        53 RegAsm.exe 43->53         started        55 RegAsm.exe 43->55         started        57 RegAsm.exe 43->57         started        process18 signatures19 85 Maps a DLL or memory area into another process 50->85 59 URGENT ORDER SO 22-2020 WSO-20-03121.exe 50->59         started        61 RegAsm.exe 50->61         started        63 RegAsm.exe 50->63         started        process20 process21 65 RegAsm.exe 59->65         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/273354be097b6ed6022eac720e2a6ff987242d38ad320630d78f6b5f3969a706/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 07:09:05 UTC
AV detection:
34 of 48 (70.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=e4zvjpqjpnxnmarovrza4ktp7gdsiljyvuzammgxr5vv6olju4da._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0de02fe1d36c7dc18f12a9eb8c398158c474699f8471177b2b2d190b6c0ce3c5
AgentTesla
25fc942b81a074fe6b40b2f817fb87d28a54949bf604e54c414c890a351b83e4
AgentTesla
2791e882cf9c19fd8485165584afdccbeac1b7a5ae1781588ea02b7e5f856602
AgentTesla
379932a035b022f75183de013c25c88433271bc39d656a42c0e87090dbfdbf72
AgentTesla
384b681234bcb71c52d6ac2bbe80207dd999f904e464e862adbb99ce25aec1f9
AgentTesla
4f4da7ed9a3d252b36eb7231d63b5e05eae88bec7edaa044fb5590e49d8db950
AgentTesla
636ed47033dc0066e0e169d4be9d01b56886b255cd5d351b481e35200f507b43
AgentTesla
8f004bc9aec06467c6d02274e540d990f49f936a089fe46c651fe80b38b5a4cd
AgentTesla
af3de18f3b36685688f53991f1c4bd26d2cf0a36f7aeccaa0a09088b9c2e9461
AgentTesla
f13afdd20e5dbe1fe6bc73b81b8c91604d125a1833b6a14fb9efbeb575ec73ee
AgentTesla
+ 10'808 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200803-skmfg7vf76/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: MapViewOfSection
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/273354be097b6ed6022eac720e2a6ff987242d38ad320630d78f6b5f3969a706

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 04110a05c955d8f105a0964156b4c6afe7fe5252a9468e3f5daa59f41c44879d

AgentTesla

Executable exe 273354be097b6ed6022eac720e2a6ff987242d38ad320630d78f6b5f3969a706

(this sample)

  
Dropped by
MD5 4a13ecb2064dd4f43635c76ed2d8f062
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37412/
  
Dropped by
SHA256 04110a05c955d8f105a0964156b4c6afe7fe5252a9468e3f5daa59f41c44879d

Comments