MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990
SHA3-384 hash: d2e0de3171f1946df25e01bae5b1e13c62e609ed62e16348a43f3188749aa376ea968b3f1c6ab33b2fce0c148d4c3f0a
SHA1 hash: 31a468b634932db0e444b08a2e5a9b2b64eb4d4a
MD5 hash: 0b63519b4ec47386eaa953149655913e
humanhash: carpet-arkansas-high-montana
File name:SecuriteInfo.com.BackDoor.SpyBotNET.17.12571.900
Download: download sample
Signature AgentTesla
Create hunting rule
File size:783'872 bytes
First seen:2020-11-01 02:16:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:3DCY7oJgKG9WPWYBbUjYOlX8Ep/MqIQv9e:3OYQLuqe5lHC
Threatray 10'894 similar samples on MalwareBazaar
TLSH 9EF47C4B7B34A6A4C567F3FB02D8962813E1FCC71210AB461F2976E154B3AD29D3C69C
Reporter SecuriteInfoCom
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
124
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/81567/
Detection(s):
SecuriteInfo.com.BackDoor.SpyBotNET.17.12571.900.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
99 / 100
Link:
https://www.joesandbox.com/analysis/517557
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 307882 Sample: SecuriteInfo.com.BackDoor.S... Startdate: 01/11/2020 Architecture: WINDOWS Score: 99 69 Found malware configuration 2->69 71 Antivirus / Scanner detection for submitted sample 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 3 other signatures 2->75 9 SecuriteInfo.com.BackDoor.SpyBotNET.17.12571.exe 4 2->9         started        13 appliczaion.exe 2 2->13         started        15 ljYBX.exe 4 2->15         started        17 ljYBX.exe 2->17         started        process3 file4 55 SecuriteInfo.com.B...ET.17.12571.exe.log, ASCII 9->55 dropped 93 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->93 19 cmd.exe 1 9->19         started        21 cmd.exe 2 9->21         started        24 InstallUtil.exe 13->24         started        28 conhost.exe 15->28         started        30 conhost.exe 17->30         started        signatures5 process6 dnsIp7 32 appliczaion.exe 4 19->32         started        35 conhost.exe 19->35         started        51 C:\Users\user\AppData\...\appliczaion.exe, PE32 21->51 dropped 37 conhost.exe 21->37         started        59 smtp.gmail.com 24->59 77 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->77 79 Tries to steal Mail credentials (via file access) 24->79 81 Tries to harvest and steal ftp login credentials 24->81 83 3 other signatures 24->83 file8 signatures9 process10 signatures11 61 Antivirus detection for dropped file 32->61 63 Multi AV Scanner detection for dropped file 32->63 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->65 39 InstallUtil.exe 2 9 32->39         started        44 cmd.exe 1 32->44         started        67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 37->67 process12 dnsIp13 57 smtp.gmail.com 74.125.133.108, 49707, 49710, 49729 GOOGLEUS United States 39->57 53 C:\Users\user\AppData\Roaming\...\ljYBX.exe, PE32 39->53 dropped 85 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 39->85 87 Tries to steal Mail credentials (via file access) 39->87 89 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 39->89 91 4 other signatures 39->91 46 reg.exe 1 1 44->46         started        49 conhost.exe 44->49         started        file14 signatures15 process16 signatures17 95 Creates multiple autostart registry keys 46->95
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 02:27:36 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=gkavw2hjctq344hrcujugallu4phbzedld7vbi3kauvmj2dsdgia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
AgentTesla
46cf0d598ead968845e7d17cfba1b30eccb7a66fa639763ba99335b3ce4d8f65
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
5b2d98988762dc2de5918566081c7d43d9dacb82cede10c6af1cbb50ab0955a9
AgentTesla
6a2cc7556c8fb10ce705ad1b1fe835b359baed8c84071683528c6fd6a8dc0332
AgentTesla
76aae91b7f532cb38c1848495595dbd02d6ded35faae729a5bfc65c69d17eef8
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
9c72f4a1b6edb5068a4dafba53d81748bbabacf1c62525e4906e118a9427a157
AgentTesla
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
AgentTesla
dec081544348d7000fcbd9ee30c3854733dc8b56f808f5dae28a21050fce03a2
AgentTesla
+ 10'884 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201101-zcb77m2qxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990
MD5 hash:
0b63519b4ec47386eaa953149655913e
SHA1 hash:
31a468b634932db0e444b08a2e5a9b2b64eb4d4a
Link:
https://www.unpac.me/results/c40a0794-97ca-45c5-9473-6e9aec0257ef/
SH256 hash:
4511d23fd8256f424ccb13a8e6cecea692e629c5c2f00b47f9a5a1469dbe461d
MD5 hash:
4c610ab0b16daa66e26d90dab6517245
SHA1 hash:
1197a1c0623ecd73697e63b086ed0bc0206862e0
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/c40a0794-97ca-45c5-9473-6e9aec0257ef/
Parent samples :
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990
84b555de54d251346360a06f9537948fcbc653c81b2c733c02791bc64c6c4b9f
ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/c40a0794-97ca-45c5-9473-6e9aec0257ef/
SH256 hash:
542282ed737d2cb55e3cb59d05e58e8dbf6473d63461194a9ba597f0f3eb5d75
MD5 hash:
0ab09caf48c9dcbcbd53aef80493abd2
SHA1 hash:
fd985c8ed98d443fde035be26592b92662b9c5ea
Link:
https://www.unpac.me/results/c40a0794-97ca-45c5-9473-6e9aec0257ef/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/81567/

Comments