MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
SHA3-384 hash: 89b5f60de4aebdc3698ec7f9fb50135c6bf19b2269d9d58149413b402d2ceef7a9bd932a9e8850f9bd7285d28b1a2544
SHA1 hash: 44645a78e2dbe6dbd0e23c60204cb28dc4c4136b
MD5 hash: b0cff698d1fd64ef9a159e2dbea1abaf
humanhash: item-white-quiet-carpet
File name:Money gram.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:891'392 bytes
First seen:2020-10-18 06:39:12 UTC
Last seen:2020-10-18 07:57:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:QDCY7oJcjcxTUQV6/1A8FtwpUDLhgCJ1dUEML91pNV0vpvQc:QOYQcjcxTUu6/W8aUPJ1GHzCvJt
Threatray 10'843 similar samples on MalwareBazaar
TLSH E1157D427779A740C1A8F3BB11A7A78513EAF4C75ED0870E2F0E97D5A4932C62E2D346
Reporter abuse_ch
Tags:AgentTesla exe FRA geo Outlook


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: EUR01-VE1-obe.outbound.protection.outlook.com
Sending IP: 40.92.66.93
From: Delphine GIRARD <dizys1@msn.com>
Subject: Re: Re: Re: Re: Re: A l'attende de vous lire
Attachment: Money gram.zip (contains "Money gram.exe")

AgentTesla SMTP exfil server:
smtp.gmail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
161
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72630/
Detection(s):
SecuriteInfo.com.ArtemisB0CFF698D1FD.29700.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/494594
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299747 Sample: Money gram.exe Startdate: 18/10/2020 Architecture: WINDOWS Score: 99 71 Found malware configuration 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected AgentTesla 2->75 77 4 other signatures 2->77 9 Money gram.exe 4 2->9         started        13 application.exe 2->13         started        15 application.exe 2 2->15         started        17 2 other processes 2->17 process3 file4 55 C:\Users\user\AppData\...\Money gram.exe.log, ASCII 9->55 dropped 99 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->99 19 cmd.exe 1 9->19         started        21 cmd.exe 2 9->21         started        24 InstallUtil.exe 13->24         started        28 InstallUtil.exe 15->28         started        30 conhost.exe 17->30         started        32 conhost.exe 17->32         started        signatures5 process6 dnsIp7 34 application.exe 4 19->34         started        37 conhost.exe 19->37         started        53 C:\Users\user\AppData\...\application.exe, PE32 21->53 dropped 39 conhost.exe 21->39         started        59 smtp.gmail.com 24->59 87 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->87 89 Tries to steal Mail credentials (via file access) 24->89 91 Tries to harvest and steal ftp login credentials 24->91 93 Tries to harvest and steal browser information (history, passwords, etc) 24->93 61 173.194.69.108, 49711, 49712, 587 GOOGLEUS United States 28->61 63 smtp.gmail.com 28->63 95 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->95 97 Installs a global keyboard hook 28->97 file8 signatures9 process10 signatures11 79 Multi AV Scanner detection for dropped file 34->79 81 Machine Learning detection for dropped file 34->81 83 Allocates memory in foreign processes 34->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->85 41 InstallUtil.exe 2 9 34->41         started        46 cmd.exe 1 34->46         started        process12 dnsIp13 65 smtp.gmail.com 173.194.69.109, 49709, 49710, 49714 GOOGLEUS United States 41->65 67 192.168.2.1 unknown unknown 41->67 57 C:\Users\user\AppData\Roaming\...\ljYBX.exe, PE32 41->57 dropped 101 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 41->101 103 Tries to steal Mail credentials (via file access) 41->103 105 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 41->105 107 4 other signatures 41->107 48 reg.exe 1 1 46->48         started        51 conhost.exe 46->51         started        file14 signatures15 process16 signatures17 69 Creates multiple autostart registry keys 48->69
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 18:32:47 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gat356peeyvnaxfk3m4ncmfov3ktxi67exrzq63w6tkxukdpom5q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
46cf0d598ead968845e7d17cfba1b30eccb7a66fa639763ba99335b3ce4d8f65
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
5b2d98988762dc2de5918566081c7d43d9dacb82cede10c6af1cbb50ab0955a9
AgentTesla
6a2cc7556c8fb10ce705ad1b1fe835b359baed8c84071683528c6fd6a8dc0332
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
76aae91b7f532cb38c1848495595dbd02d6ded35faae729a5bfc65c69d17eef8
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
dec081544348d7000fcbd9ee30c3854733dc8b56f808f5dae28a21050fce03a2
AgentTesla
+ 10'833 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201018-jap49jk1j6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4511d23fd8256f424ccb13a8e6cecea692e629c5c2f00b47f9a5a1469dbe461d
MD5 hash:
4c610ab0b16daa66e26d90dab6517245
SHA1 hash:
1197a1c0623ecd73697e63b086ed0bc0206862e0
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/00ea37cb-9ac8-474e-b207-ac0493c2ac81/
Parent samples :
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990
84b555de54d251346360a06f9537948fcbc653c81b2c733c02791bc64c6c4b9f
ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/00ea37cb-9ac8-474e-b207-ac0493c2ac81/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/00ea37cb-9ac8-474e-b207-ac0493c2ac81/
SH256 hash:
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
MD5 hash:
b0cff698d1fd64ef9a159e2dbea1abaf
SHA1 hash:
44645a78e2dbe6dbd0e23c60204cb28dc4c4136b
Link:
https://www.unpac.me/results/00ea37cb-9ac8-474e-b207-ac0493c2ac81/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5a74d23f4185a7ca5fd656dcc407791903f6c02ca8da224791adb914765ee754

AgentTesla

Executable exe 3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b

(this sample)

  
Dropped by
MD5 e3d101aca7716fe2987929fd33043314
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 5a74d23f4185a7ca5fd656dcc407791903f6c02ca8da224791adb914765ee754
Cape
Cape
https://www.capesandbox.com/analysis/72630/

Comments