MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e
SHA3-384 hash: d983fa757149a7e4c07fcb3119b4c4170a723b07e1ae6f70f6c8b8cec1e8452b05032fd825a26ef18ae4f80b2b084c99
SHA1 hash: 568004fef4eeeeb18e0428fe4a018a58488f5d92
MD5 hash: b64a39f1c1967f349eb90ff41d27ece6
humanhash: network-cup-grey-sodium
File name:8398172028337db0748732f113503b82.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'683'360 bytes
First seen:2020-11-02 15:50:07 UTC
Last seen:2020-11-08 14:05:49 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 6144:m4D0p9WBQf5WB/HQRoiDoqWQ3orLojBtDYQDe9xBwvsi4qyi79Loqo6JhBHxZvyx:OOQf5JowKXNuHgeVtMjPPSCCQi7Vy
Threatray 886 similar samples on MalwareBazaar
TLSH C875F44E4C1DEE905C980B7F71F93AC436A1C68F9CCA93A71C65C63B29D951F0ACAC94
Reporter James_inthe_box
Tags:AgentTesla exe

Code Signing Certificate

Organisation:Microsoft Windows
Issuer:Microsoft Windows
Algorithm:sha256WithRSAEncryption
Valid from:Nov 2 08:06:45 2020 GMT
Valid to:Nov 2 08:06:45 2021 GMT
Serial number: 709186DB6474498A12C86D1E07B2828C
Thumbprint Algorithm:SHA256
Thumbprint: AA02778AC792A3B6E34D3BF7ACF89730AFDF2CB589B676E7F1038840DA1B7631
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
67
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81841/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Adding an access-denied ACE
Launching a process
Creating a window
Launching the default Windows debugger (dwwin.exe)
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/518331
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 308268 Sample: 8398172028337db0748732f1135... Startdate: 02/11/2020 Architecture: WINDOWS Score: 100 32 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->32 34 Found malware configuration 2->34 36 Multi AV Scanner detection for submitted file 2->36 38 4 other signatures 2->38 6 8398172028337db0748732f113503b82.exe 2 2->6         started        9 newapp.exe 2 2->9         started        11 newapp.exe 1 2->11         started        process3 signatures4 40 Writes to foreign memory regions 6->40 42 Allocates memory in foreign processes 6->42 44 Hides threads from debuggers 6->44 46 2 other signatures 6->46 13 RegSvcs.exe 17 8 6->13         started        18 WerFault.exe 23 9 6->18         started        20 conhost.exe 9->20         started        22 conhost.exe 11->22         started        process5 dnsIp6 26 greatwestern.id 103.229.73.122, 49755, 49757, 587 MWN-AS-IDPTMasterWebNetworkID Indonesia 13->26 28 mail.greatwestern.id 13->28 30 3 other IPs or domains 13->30 24 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 13->24 dropped 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 13->50 52 Tries to steal Mail credentials (via file access) 13->52 54 5 other signatures 13->54 file7 signatures8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-02 08:32:24 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 27 (77.78%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gigk2vusxn6qqvzspbvrqi5kzhbev3kkfuite5r5gva7sa4aocha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20301bf0496573999546b8da6dcc63806bef8426b4f28a43204630cce8ec6111
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
4059c5c31844e43226ec7b22e9f971aec27765e3822685e3a6b4af541fa6ced3
AgentTesla
6bc23ccd8612b26fde69c3c640beaf2b1997b5081ba210eb7b26f903c80b55da
AgentTesla
a02fab001fe08ddb9a1ff1113714164bfb779c3c1829e0db5de65a9174f3af7c
AgentTesla
b2b25365ac3fab2649ba188a0c113a558686c049d89bb4b8f3d7439a6e6732c0
AgentTesla
b632282d2e46133203300355315a5ce12ecbe30201dc4dddcb66ce7b0e29c11f
AgentTesla
b64834eeb000aadaea8048153c40436a4aa12e1ed93b506e5fb7146465b4943c
AgentTesla
e63d9fff34fc1c54b4e9bcb779e8101ca5e65f84d84e153c0788dec7d8ee5d42
AgentTesla
e788686b2a0e0efbf94e3f33a47e63494ca216e965191d82cd2922b8af6fe037
AgentTesla
+ 876 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201102-td5gtl9l86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e
MD5 hash:
b64a39f1c1967f349eb90ff41d27ece6
SHA1 hash:
568004fef4eeeeb18e0428fe4a018a58488f5d92
Link:
https://www.unpac.me/results/6281b5b9-60aa-42ae-993d-febee282059c/
SH256 hash:
74c7956519d804d00d6a39836c9b1097b28d2614845f96eae6f1d4590f8fc159
MD5 hash:
32a7ea0e85706b8687916b90dd4f9e8c
SHA1 hash:
58e3c488085058ff1e60b504f9666b9c55860918
Link:
https://www.unpac.me/results/6281b5b9-60aa-42ae-993d-febee282059c/
SH256 hash:
98b7fd64b1b67e69b59e9e8a4b2d6f00b65a919c9734523976348110f89c917c
MD5 hash:
ab6f8b4eeff2166f1c01e397209c5fb1
SHA1 hash:
837db2cc92a779d33a409150c1f202fcbf4b6e46
Link:
https://www.unpac.me/results/6281b5b9-60aa-42ae-993d-febee282059c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/320cad5692bb7d085732786b1823aac9c24aed4a2d1132763d3541f90380708e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/81841/

Comments