MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2bff2eb9a8f7c497688208e9031adfc146bad406453325a3eeeb052f840e163f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	2bff2eb9a8f7c497688208e9031adfc146bad406453325a3eeeb052f840e163f
SHA3-384 hash:	aacb4b82b4c4b7bab7bab015eb6b840985acd7c9363296b739637c69a9eb558495cabb2905d1b0aa10784623c349425a
SHA1 hash:	e4c1ac1a35e42f69b84de84fc1866a9a95fc3d04
MD5 hash:	237cef094a2dee443dabf8969f23fb19
humanhash:	freddie-aspen-thirteen-mirror
File name:	2020年中国（深圳）国际医疗防疫物资展览会(周文槟).exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	825'344 bytes
First seen:	2020-08-27 05:44:00 UTC
Last seen:	2020-08-27 07:19:20 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:VzHKXdojsDyDqljanetnCyifZ7cbJfb8vUJnbFcrnFGeOXXzWT057Yf/:UXdgseMnCyidcFD8vHy40Sn
Threatray	10'042 similar samples on MalwareBazaar
TLSH	CB05E146032E8B3DDD0872BD35A040ADE631AB46EF38E1D8DF4B75B9594E25EA05C3C6
Reporter	abuse_ch
Tags:	AgentTesla CHN exe geo

abuse_ch

Malspam distributing AgentTesla:

HELO: mail-smail-vm37.hanmail.net
Sending IP: 203.133.180.225
From: 정동디씨 <jungdong2162@daum.net>
Subject: 8月7-8日2020深圳国际医疗防疫物资展剩余展位有限
Attachment: 2020年中国（深圳）国际医疗防疫物资展览会(周文槟).z (contains "2020年中国（深圳）国际医疗防疫物资展览会(周文槟).exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/51595/

Detection(s):

SecuriteInfo.com.Generic.mg.237cef094a2dee44.25376.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/452284

Signature

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/2bff2eb9a8f7c497688208e9031adfc146bad406453325a3eeeb052f840e163f/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-08-27 05:45:07 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=fp7s5oni67cjo2ecbduqggw7yfdlvvagiuzsli7o5mcs7baocy7q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

35a38e46b89b6145d415c29cf2a3d5c746e2f8b6728fc1a0a4d78865e7ed9b59

AgentTesla

36ccd31c1ec6282731d19195236079e96b13c2c387703265ac788f46f1777c95

AgentTesla

38fcb333238cb4390662b70073f768dd5928d7995b77747add4f2acc8dff4db0

AgentTesla

4a4688aef8ed33c99bda67183d11393956d9e29453ebc230bce72d06f788520a

AgentTesla

4cbc170e21690671a4d72358dff18495f7fc2b5278eb331933de84fcebaa7f4e

AgentTesla

5f50699c3144405b2458bac5d4ae1c6f9945dc5c91641a91326602d0b387f7b9

AgentTesla

89116942312d8a60d9dff7624d4550b1f84def97b0251cb705e705e1d125edcc

AgentTesla

d2d83fb7446e0969d3ffab161cb2d258041c9c0e686de6dc978b334b444b0512

AgentTesla

f993204d13f7fb5d573fab0a29f3064ab7df3cea32816a6af8df3f22e49c9f81

AgentTesla

+ 10'032 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

3/10

Tags:

n/a

Link:

https://tria.ge/reports/200827-7myb9k5lva/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Program crash

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/2bff2eb9a8f7c497688208e9031adfc146bad406453325a3eeeb052f840e163f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar