MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d2996c0344c2ed157f9affb6468c803dc196b519574c945c8fe40e445418030. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d2996c0344c2ed157f9affb6468c803dc196b519574c945c8fe40e445418030
SHA3-384 hash: d0b4cabafb98627a2f519706b3dbdf6cae8d9499979d0bd7ce8d219895cbfb5e04077aa9dace47228d002fa6ba33a717
SHA1 hash: 910c9f05f590203d9662140ebd2ee323ff937367
MD5 hash: e6f5720c61791304ad99987695c07d81
humanhash: stream-eleven-montana-chicken
File name:Statement Of Account.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:164'312 bytes
First seen:2020-11-26 06:51:39 UTC
Last seen:2020-11-26 08:42:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 1536:wlkcjh4erh3ItgUmfaia8WWl+CRppyXl7IhCpc6ouxcb/Fh4AuUf/:y7F8g5fa/vWA6pQZ24xE34K
Threatray 1'517 similar samples on MalwareBazaar
TLSH ACF3D689729E0D12DB755A382872AC1001F37B53F652DEECCDD3D6D9B491B824B23E62
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: c30atji5.mwprem.net
Sending IP: 61.118.29.167
From: Equalplas <equalplas.acc@hotmail.com>
Subject: OUTSTANDING SOA
Attachment: Statement Of Accounts.cab (contains "Statement Of Account.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
156
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/547787
Signature
.NET source code contains very large strings
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 322997 Sample: Statement Of Account.exe Startdate: 26/11/2020 Architecture: WINDOWS Score: 88 55 pastebin.com 2->55 57 hastebin.com 2->57 59 g.msn.com 2->59 65 Yara detected AgentTesla 2->65 67 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->67 69 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 2->69 71 5 other signatures 2->71 8 Statement Of Account.exe 24 7 2->8         started        13 Statement Of Account.exe 2->13         started        15 Statement Of Account.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 61 pastebin.com 104.23.98.190, 443, 49717 CLOUDFLARENETUS United States 8->61 63 hastebin.com 104.24.127.89, 443, 49711, 49729 CLOUDFLARENETUS United States 8->63 53 C:\Users\user\...\Statement Of Account.exe, PE32 8->53 dropped 73 Creates an undocumented autostart registry key 8->73 75 Creates autostart registry keys with suspicious names 8->75 77 Creates multiple autostart registry keys 8->77 79 Adds a directory exclusion to Windows Defender 8->79 19 powershell.exe 16 8->19         started        21 powershell.exe 10 8->21         started        23 powershell.exe 10 8->23         started        33 4 other processes 8->33 25 timeout.exe 13->25         started        27 timeout.exe 15->27         started        29 timeout.exe 17->29         started        31 timeout.exe 17->31         started        file6 signatures7 process8 process9 35 conhost.exe 19->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 33->49         started        51 conhost.exe 33->51         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/2d2996c0344c2ed157f9affb6468c803dc196b519574c945c8fe40e445418030/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 06:52:09 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=fuuznqbujqxncv7zv75wi2giapobs22rsv2msroi7zaoirkbqaya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
19956a68719c3c4b8bbdab4e9a3b1f28acf60cc6d0e5e70b30aaa5016a4215fb
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
7596db7593e9571f3cfdb3003fe0001054abddfb57dd8390bc05d458cbef0be3
AgentTesla
8a3c02f3f221e3874e057b7a98a43560d291f886f4b5351051f2876bc2f8c4e6
AgentTesla
8c3b25751ab09b3f9a6b6f9ce8271c13b5963565c2099077cfc9d30d6ff6abe7
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
95eaed904a48a580a9ba80eb8193b178f08b3da26d830b7a8b2fa8f5e3b5186e
AgentTesla
9bad59a7b2c604957e6dc7f52dbebcaf6b240eba426bdd2e973625cdd6c50c50
AgentTesla
d3083455681d65c6d3d151874554ad31b053ea89daa743f09ad2128e978999dc
AgentTesla
+ 1'507 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201126-743cr79qbe/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops startup file
Windows security modification
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
AgentTesla
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
2d2996c0344c2ed157f9affb6468c803dc196b519574c945c8fe40e445418030
MD5 hash:
e6f5720c61791304ad99987695c07d81
SHA1 hash:
910c9f05f590203d9662140ebd2ee323ff937367
Link:
https://www.unpac.me/results/68436c98-45b4-4e02-9156-42782bfb27d2/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab 2067cee09631892c460b0cce1d9d3125a5544ce8e552d507117ebfcb5f26d8fa

AgentTesla

Executable exe 2d2996c0344c2ed157f9affb6468c803dc196b519574c945c8fe40e445418030

(this sample)

  
Dropped by
MD5 b6dd0201f73b45959ec6fd2f566ddca9
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 2067cee09631892c460b0cce1d9d3125a5544ce8e552d507117ebfcb5f26d8fa
Cape
Cape
https://www.capesandbox.com/analysis/105603/

Comments