MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 31e9e7ca798fc5177eb571c001d4d7ae44e141818fa31fb8fe654d44afe3df53. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	31e9e7ca798fc5177eb571c001d4d7ae44e141818fa31fb8fe654d44afe3df53
SHA3-384 hash:	c2ca2ab0dad7ec326b84c2ceb61e08b7e956b66e95786874951f1ab36ca0d03f15b2fd4bcd63c3835738fd3cd9ef516e
SHA1 hash:	5586e81bd878e709d449e083febf7ac87496b5f3
MD5 hash:	47f363f18aab493da421c6bd96a199c2
humanhash:	speaker-summer-video-gee
File name:	REQUEST FOR PRODUCTS SUPPLY.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	780'288 bytes
First seen:	2020-09-18 09:32:29 UTC
Last seen:	2020-09-18 10:42:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:6iTzYG1w0wODUfB1gomk2UB5LuxZ7f3LeOp8lqW6fTI03NdAA:6iTz/tUf5mkv5KP7fbeOpac33A
Threatray	106 similar samples on MalwareBazaar
TLSH	D2F408F23343846DCA2A0175547B82C3F573228E6EA4492DB0BADB0D2E1B7C7579265F
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Generic.mg.47f363f18aab493d.15810.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Sending a UDP request

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/469850

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/31e9e7ca798fc5177eb571c001d4d7ae44e141818fa31fb8fe654d44afe3df53/

Threat name:

ByteCode-MSIL.Trojan.Negasteal

Status:

Malicious

First seen:

2020-09-18 09:34:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ghu6pstzr7cro7vvohaadvgxvzcocqmbr6rr7oh6mvgujl7d35jq._file

Verdict:

unknown

AgentTesla

3d8ff1b4492a541b44c03733b090c73fd992535d8c4e867abc0e6aeaf5b58b30

AgentTesla

5dd54174543f8e681162c6c8462209da761db5e2ccb38cb8408ef0232956b3ce

AgentTesla

62afb1cbcacb77aa2ca99cc55c0e3536738415289f53c4a3a57d9b9cc08ee5ab

AgentTesla

80f341333728513fea45dc07c8582e5a8c3ac630de39b53ef23d1742ddc0f5d2

AgentTesla

885179565290381c8e8e883f1e4c776507c1ddd3bfa8902f432ea31fbf01c683

AgentTesla

99afa20e22dac4e8fd5f536c3fd6c806fa6a9f52a0458c0c1a90fdc3e8a1f3f8

AgentTesla

c2af32087beb20ac52dd19d5cd1f2a389bb58e424790a0c820dd450cf0c48847

AgentTesla

c639621985cf5e13b426c10f605d28767636aabd6ac4e8d16da8ddc2c2bbc356

AgentTesla

d5231355835fc25fb6f9923639331084ff0ae602929793c263e01eda38d2fa1b

AgentTesla

+ 96 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200918-skj8q1nt7j/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/31e9e7ca798fc5177eb571c001d4d7ae44e141818fa31fb8fe654d44afe3df53

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar