MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f
SHA3-384 hash: 1173bfd64580297c9c9a215f894cde1f9f86d39c6d4f30479c2c07981cf07c30674e6b49d4dd72ff666e76f6d8ce8109
SHA1 hash: 0345bcf85e38e8ed04280b41237f726ce888c21e
MD5 hash: 8b693d99b41b6462f1f12650cb774c2c
humanhash: finch-solar-ack-charlie
File name:PAYMENT DETAILS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:430'080 bytes
First seen:2021-02-05 06:09:44 UTC
Last seen:2021-02-05 08:09:02 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:wsoISDMpra6zmf09AZOb1jBlLMhVcb4vHpeGnRRMEvQVOoDfrWux/yfsRAV3lwoZ:np1zq09Agzlgfcb+pTRydfHNyB5
Threatray 2'442 similar samples on MalwareBazaar
TLSH B094CF7C2AD9AD72F1BD4FBD44B4629417B2A9961503D3AF4AC094EA1E73FC04A01BD3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT DETAILS.exe
Verdict:
No threats detected
Analysis date:
2021-02-05 07:25:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/b034e91b-e4d9-4045-ba88-9efdf2e5efdb

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/115705/
Detection(s):
SecuriteInfo.com.Generic.mg.8b693d99b41b6462.12219.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/600009
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 349028 Sample: PAYMENT DETAILS.exe Startdate: 05/02/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 Sigma detected: RegAsm connects to smtp port 2->38 40 6 other signatures 2->40 6 PAYMENT DETAILS.exe 2 2->6         started        9 kprUEGC.exe 2 2->9         started        11 kprUEGC.exe 1 2->11         started        process3 signatures4 42 Writes to foreign memory regions 6->42 44 Allocates memory in foreign processes 6->44 46 Injects a PE file into a foreign processes 6->46 13 RegAsm.exe 2 4 6->13         started        18 WerFault.exe 23 9 6->18         started        20 conhost.exe 9->20         started        22 conhost.exe 11->22         started        process5 dnsIp6 28 alsayyadi.com 162.241.242.7, 49768, 587 UNIFIEDLAYER-AS-1US United States 13->28 30 mail.alsayyadi.com 13->30 32 192.168.2.1 unknown unknown 13->32 24 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 13->24 dropped 26 C:\Windows\System32\drivers\etc\hosts, ASCII 13->26 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->50 52 Tries to steal Mail credentials (via file access) 13->52 54 6 other signatures 13->54 file7 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-05 06:10:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
6
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ggjrogj34xvn2h2c6rpds7lbdsmviurqqmqga3c7nz6zpbu3nshq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2bff7918842a32e19021595f3276402ff1e1034130ed6dfbf4f3f11dda06a52d
AgentTesla
3813d5fe541f008c96f3a0f367113a1fa3c047f08815fcd8335c4b829523ca28
AgentTesla
5defd50046db301c82c85cc8306960982f576cbf5446f24062cc570dcf0becec
AgentTesla
69f4101e63fdfdec4a5b6fc4a778619a69f9511416dd90fe9df33502ff8d9d4f
AgentTesla
8dc64c2876b1b1182e6f28cf85ddae49b5a3e8851bfcdf257a8c9e9e1a044413
AgentTesla
9bad59a7b2c604957e6dc7f52dbebcaf6b240eba426bdd2e973625cdd6c50c50
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
c813f48272b6106bf37619e57fbde62d1edb5fa5772a1a131374ca05685450a7
AgentTesla
d3083455681d65c6d3d151874554ad31b053ea89daa743f09ad2128e978999dc
AgentTesla
e694eadb2f24bf7de44a2cc1d1fbc3d2e84d83d6cac2be444aef377bea95cc29
AgentTesla
+ 2'432 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210205-zcdqy4v2fa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
Beds Protector Packer
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/e7cfed17-f72c-4e73-ba07-478da6ea8c35/
SH256 hash:
1f62f062c7f6f5fd75eead1e16c327b62ff53d9affe4dfeafd2f10f2d5d420eb
MD5 hash:
096c9e71228ef546b476e2067d668d77
SHA1 hash:
8693fc34ef6745b748606092be8289f50a685376
Link:
https://www.unpac.me/results/e7cfed17-f72c-4e73-ba07-478da6ea8c35/
SH256 hash:
521e2e1da3e979d66c3ef5b9105dda25828925420886e2d1652a03470d93a4a4
MD5 hash:
26b3abd49bced0e36edd1634d3102e0f
SHA1 hash:
53b574ec40c8c979c9b028f7d6ac7efbb1e7b9d9
Link:
https://www.unpac.me/results/e7cfed17-f72c-4e73-ba07-478da6ea8c35/
SH256 hash:
319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f
MD5 hash:
8b693d99b41b6462f1f12650cb774c2c
SHA1 hash:
0345bcf85e38e8ed04280b41237f726ce888c21e
Link:
https://www.unpac.me/results/e7cfed17-f72c-4e73-ba07-478da6ea8c35/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_EXE_Packed_ConfuserExMod_BedsProtector
Create hunting rule
Author:ditekSHen
Description:Detects executables packed with ConfuserEx Mod Beds Protector
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fdce51c72a6bce61dbc902c90d3c69713f693cc4a6ac7f290a75a14b9804160b

AgentTesla

Executable exe 319317193be5eadd1f42f45e397d611c995452308320606c5f6e7d97869b6c8f

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/115705/
  
Dropped by
SHA256 fdce51c72a6bce61dbc902c90d3c69713f693cc4a6ac7f290a75a14b9804160b

Comments