MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24
SHA3-384 hash: a6fe51970cb763eb3eefe7f927d953c39c03e03223d9382a3f1bd98d33f6224bbf1cca0cb89c4379b858878797d33035
SHA1 hash: 69c48dd8d8830d5c86dc59b1dd4cbcc1f1a4091b
MD5 hash: 37730d80d40f73193ff9baa62659dd1d
humanhash: berlin-april-georgia-cold
File name:ORDERS#4500121785_PO_PRODUCTS_PlG_Trading Services _Co.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:778'240 bytes
First seen:2020-10-19 06:33:18 UTC
Last seen:2020-10-19 08:24:08 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep 12288:N8Na1m5P5HfNQD1dZ1oiDNsD6Zs6bRdHx2UPXdUSIeaL4Qso8T2IU2UWS9y5:+sm5xM1LBXs6fRN+N7s9yI/Ut
Threatray 12'002 similar samples on MalwareBazaar
TLSH 6FF4E142BE50C400DC390B70E47E8EF4177B7D6AE974A21F2BC5BE357AB31D26926249
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: mail.huincacoop.com.ar
Sending IP: 200.29.255.6
From: PHAN NGỌC HỒNG <purchase.phuoc.nguyen@plg-tts.com.vn>
Subject: Order 4500121785
Attachment: ORDERS4500121785_PO_PRODUCTS_PlG_Trading Services _Co.arj (contains "ORDERS#4500121785_PO_PRODUCTS_PlG_Trading Services _Co.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
84
Origin country :
n/a
Vendor Threat Intelligence
Detection:
NanoCore
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72737/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.3530.32439.20213.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Launching a process
Unauthorized injection to a recently created process
Result
Threat name:
Nanocore AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494855
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected Nanocore Rat
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299880 Sample: ORDERS#4500121785_PO_PRODUC... Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 66 Found malware configuration 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Sigma detected: Capture Wi-Fi password 2->70 72 12 other signatures 2->72 9 ORDERS#4500121785_PO_PRODUCTS_PlG_Trading Services _Co.exe 6 2->9         started        13 RegAsm.exe 2 2->13         started        15 dhcpmon.exe 2->15         started        17 3 other processes 2->17 process3 file4 52 C:\Users\user\AppData\Roaming\...\ekoxek.exe, PE32 9->52 dropped 54 ORDERS#4500121785_...ervices _Co.exe.log, ASCII 9->54 dropped 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->80 19 ekoxek.exe 1 5 9->19         started        23 conhost.exe 13->23         started        25 conhost.exe 15->25         started        27 conhost.exe 17->27         started        signatures5 process6 file7 50 C:\Users\user\AppData\Roaming\samyy3.exe, PE32 19->50 dropped 74 Multi AV Scanner detection for dropped file 19->74 76 Machine Learning detection for dropped file 19->76 78 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->78 29 samyy3.exe 19->29         started        33 RegAsm.exe 1 14 19->33         started        36 RegAsm.exe 19->36         started        signatures8 process9 dnsIp10 56 C:\Windows\System32\drivers\etc\hosts, ASCII 29->56 dropped 82 Antivirus detection for dropped file 29->82 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->84 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->86 90 7 other signatures 29->90 38 netsh.exe 29->38         started        64 185.140.53.187, 4488, 49743 DAVID_CRAIGGG Sweden 33->64 58 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 33->58 dropped 60 C:\Users\user\AppData\Local\...\tmp6EC3.tmp, XML 33->60 dropped 62 C:\Program Files (x86)\...\dhcpmon.exe, PE32 33->62 dropped 88 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->88 40 schtasks.exe 1 33->40         started        42 schtasks.exe 1 33->42         started        file11 signatures12 process13 process14 44 conhost.exe 38->44         started        46 conhost.exe 40->46         started        48 conhost.exe 42->48         started       
Detection:
nanocore
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 00:53:49 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=gaj2ys4yrhjrfgh7kx5lkyhi6ifvgbjnvbm2273mru2prg3uz4sa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1
AgentTesla
51837e07f216a7af44fbabf5a9e0b91dcbc2dfd3c3428badf554049a193938cf
AgentTesla
5fb13ec9aec5b17f482da9aa1b4843d58721d0c99090e9f6cb3a88940666cc61
AgentTesla
72bd0977963ba2b746a267fd559578ab5d8d56a0dccc1e8296785ba4641877d4
AgentTesla
84576eb81afad9ffdc32144ed3ebf5ebb7e63b27b18725a0e7cead356d3bed60
AgentTesla
88ffe4c8afc9b30ad07bf5161593a0a19c3737ba8c5eb49353a2470ecd811b15
AgentTesla
c1c841ab92fcc7f486280ba17d8e08dfd8626c2b7adad80bc83bd27794dde5e6
AgentTesla
c560dadc5a125a4c74dda79e22d40279f7883a0d961eb39b9095119d3196baaa
AgentTesla
c62e6a976a7999cc933cdb42e0d6eb0be6dbc979a0d0ef2a3143e6e0a4fb5c7f
AgentTesla
fd54073286010523ef59ce428c3ae8b92f87abce1027ed232befe46499bf5e53
AgentTesla
+ 11'992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:nanocore family:agenttesla persistence
Link:
https://tria.ge/reports/201019-8tyfg8zap2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
NanoCore
Malware Config
C2 Extraction:
185.140.53.187:4488
Unpacked files
SH256 hash:
3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24
MD5 hash:
37730d80d40f73193ff9baa62659dd1d
SHA1 hash:
69c48dd8d8830d5c86dc59b1dd4cbcc1f1a4091b
Link:
https://www.unpac.me/results/0b3a2e3a-f370-45da-b225-a198edc69358/
SH256 hash:
ad939f9b48ffde162b3017dc6fa175978c40b2334f5339ff6a80183fc3add5de
MD5 hash:
6ee6a744d0059363dc0488022ce779d5
SHA1 hash:
81c734abd88f644d66bf8ba07d22109bbac0f295
Link:
https://www.unpac.me/results/0b3a2e3a-f370-45da-b225-a198edc69358/
SH256 hash:
8e7a7cf5729a62d9170b15220f14fd4842f022d508405bcf9e3db9e3d85a19c2
MD5 hash:
632615b5bf47bcf92e4c3f705dfcfb19
SHA1 hash:
fdda7e4679bd6f3426d6d2f057fd50f58efb280f
Link:
https://www.unpac.me/results/0b3a2e3a-f370-45da-b225-a198edc69358/
SH256 hash:
054bb506261d931c09b36ab7cdae083e46b1c93710a1bce0cab8c6fbb4fe0c03
MD5 hash:
266aeb9244ca539c5a64193b160b85ed
SHA1 hash:
d372f7600d79ad8b456ed8d2ed8777b8066602ba
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/0b3a2e3a-f370-45da-b225-a198edc69358/
Parent samples :
3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24
4d41aeadc8ec2a61264185f84985595dea4edec7a0c1e0866497c5f16d3dff46
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

arj f210a47957b09544d99d4079fff846794b816a37e5f223269840b17ef2674d51

AgentTesla

Executable exe 3013ac4b9889d31298ff55fab560e8f20b53052da859ad7f6c8d34f89b74cf24

(this sample)

  
Dropped by
MD5 8a016f5bc50e5876c73727aea345619b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 f210a47957b09544d99d4079fff846794b816a37e5f223269840b17ef2674d51
Cape
Cape
https://www.capesandbox.com/analysis/72737/

Comments