MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d
SHA3-384 hash: 46e77a5596797b8534ab7685de0e9923c134579a632a5bcac217fe56241e19280a7e73fe87d61ce7182f731c4db62061
SHA1 hash: dffa2772b1f9edf18586d70fe83716a032634570
MD5 hash: e11f1e6bd79d5e12885434dcfd703ae3
humanhash: one-pizza-robin-social
File name:JOB REQUEST-CV.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'919'411 bytes
First seen:2020-10-02 14:09:29 UTC
Last seen:2020-10-02 14:20:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d349bb1fedb23758a6e397e5d691576 (8 x Bancteian, 7 x AZORult, 1 x AgentTesla)
ssdeep 49152:+UJ6ZNXox4SgJhBsfHJq/nCFT4Mv0Pt97NfY7+k5K1fyqv+ih69:+tR4xGnCtvwNSK1aqv+4M
Threatray 158 similar samples on MalwareBazaar
TLSH 9D067D16B6C41C3FC0AB17394C379B30997F7EA126269C1E1AF078DC8E7A5417D2A64B
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Win.Trojan.Bancteian-0-6418983-0
Create hunting rule

Win.Malware.Delf-6821969-0
Create hunting rule

Win.Malware.Delf-6821971-0
Create hunting rule

Win.Malware.Delf-6840786-0
Create hunting rule

PUA.Win.Adware.Dealply-6840263-0
Create hunting rule

Win.Trojan.Delf-33906
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Creating a file
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows directory
Changing a file
Moving a file to the Windows directory
Moving a recently created file
Creating a file in the %AppData% directory
Moving a file to the %AppData% directory
Setting a keyboard event handler
Blocking the User Account Control
Unauthorized injection to a recently created process
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480302
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292591 Sample: JOB REQUEST-CV.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 48 g.msn.com 2->48 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 16 other signatures 2->68 9 JOB REQUEST-CV.exe 3 2->9         started        signatures3 process4 file5 30 C:\Users\user\Desktop\JOB REQUEST-CV.exe, PE32 9->30 dropped 32 C:\Users\user\AppData\Local\...\icsys.ico.exe, PE32 9->32 dropped 12 icsys.ico.exe 13 9->12         started        16 JOB REQUEST-CV.exe 6 9->16         started        process6 file7 34 C:\Windows\wininit.exe, PE32 12->34 dropped 36 C:\Windows\RCXAE05.tmp, PE32 12->36 dropped 38 C:\Users\user\AppData\Roaming\spoolsv.exe, PE32 12->38 dropped 46 4 other malicious files 12->46 dropped 86 Antivirus detection for dropped file 12->86 88 Machine Learning detection for dropped file 12->88 90 Drops executables to the windows directory (C:\Windows) and starts them 12->90 92 Drops PE files with benign system names 12->92 18 wininit.exe 13 12->18         started        22 svchost.exe 14 12->22         started        40 C:\Users\user\AppData\Roaming\bBNRIXym.exe, PE32 16->40 dropped 42 C:\Users\user\AppData\Local\...\tmpEA43.tmp, XML 16->42 dropped 44 C:\Users\user\...\JOB REQUEST-CV.exe .log, ASCII 16->44 dropped 94 Injects a PE file into a foreign processes 16->94 24 JOB REQUEST-CV.exe 15 4 16->24         started        26 schtasks.exe 1 16->26         started        signatures8 process9 dnsIp10 50 edge-block-www-env.dropbox-dns.com 162.125.66.15, 443, 49745, 49746 DROPBOXUS United States 18->50 52 192.168.2.1 unknown unknown 18->52 54 dl.dropboxusercontent.com 18->54 70 Antivirus detection for dropped file 18->70 72 Creates an undocumented autostart registry key 18->72 74 Machine Learning detection for dropped file 18->74 76 Installs a global keyboard hook 18->76 78 Tries to harvest and steal browser information (history, passwords, etc) 22->78 56 smtp.yandex.ru 77.88.21.158, 49867, 587 YANDEXRU Russian Federation 24->56 58 elb097307-934924932.us-east-1.elb.amazonaws.com 174.129.214.20, 443, 49860 AMAZON-AESUS United States 24->58 60 2 other IPs or domains 24->60 80 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 24->80 82 Tries to steal Mail credentials (via file access) 24->82 84 Tries to harvest and steal ftp login credentials 24->84 28 conhost.exe 26->28         started        signatures11 process12
Detection:
azorult
Create hunting rule
Link:
https://mwdb.cert.pl/sample/371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d/
Threat name:
Win32.Trojan.Bancteian
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 14:00:07 UTC
File Type:
PE (Exe)
Extracted files:
57
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g4punvqvtvp4xiwrkmneocjy7tizlbak5lyri7wisrahu44himoq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0622421f5a2a6dfa2de39175fbc710f982788677162c2e93ed1eb78d33d6bc75
AgentTesla
1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241
AgentTesla
6e176c82d8cf8842dc9f87b42be3713ffc55ab8a50fb4a3befed84f281706b83
AgentTesla
7775bf665391c8e930e16cdb4b1a78458ffe7e662a099376050d425a8c24637e
AgentTesla
be2763ce4e6c5c6a228efc795006966af947a33bb7992121d9f139f161f7ab15
AgentTesla
d68a5a2bf92f0f08b8eb6f39351462f81d65d54085c1c7ae3aa81b2d3018434e
AgentTesla
d7f3cc72163e809b398c83abb04b237d3f900fee8886e862995a2e5995c3d627
AgentTesla
e438d3d16690fe7c24844f8ebc7e2c5f66c2b24eb24b5d5f9afa9a863fa9d19d
AgentTesla
ea80f25ee70eca376f5e1214178f1f6d982dcb6231c79b70ad99a31fbe814b60
AgentTesla
ecd02b07f2d16323eb97c26de4ed644479f33bd6c20fe4b554cff7ef1b62c300
AgentTesla
+ 148 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence spyware
Link:
https://tria.ge/reports/201002-kl7ngtnf1e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Unpacked files
SH256 hash:
371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d
MD5 hash:
e11f1e6bd79d5e12885434dcfd703ae3
SHA1 hash:
dffa2772b1f9edf18586d70fe83716a032634570
Link:
https://www.unpac.me/results/e8847279-ea51-41a2-b2ad-82cfdded44f6/
SH256 hash:
257f5dd7532b70252668c3572d4be15938e7d2addfc825af0d545e2be750db35
MD5 hash:
022821920ac46b52a44cdf0196c1b469
SHA1 hash:
bf036ce07db9edd5128319c1635ce05a1a611f0e
Link:
https://www.unpac.me/results/e8847279-ea51-41a2-b2ad-82cfdded44f6/
SH256 hash:
243568283aecb91d1cf3471d4d2f0ab52f9570740b22949ab2d0a9e63305415b
MD5 hash:
9d15bbd071dc057a249a253798a02cdb
SHA1 hash:
7948fd843fc4ee8d8a23ead49228592785a7eb29
Link:
https://www.unpac.me/results/e8847279-ea51-41a2-b2ad-82cfdded44f6/
SH256 hash:
6e176c82d8cf8842dc9f87b42be3713ffc55ab8a50fb4a3befed84f281706b83
MD5 hash:
0b3be3491143383beebf686c98be4fa3
SHA1 hash:
1742a9abc40ad2ba5ef1fc8c68fd4032b0123b64
Link:
https://www.unpac.me/results/e8847279-ea51-41a2-b2ad-82cfdded44f6/
SH256 hash:
4e54129c98f6bed66274f06400f7c340fe55c82bb57e0abfea340fb195a1d493
MD5 hash:
24e420e57c8d424f5cfffa09f314d4cc
SHA1 hash:
40fcf0cee5f6617f0067298bd1c6d0b4beacc88d
Link:
https://www.unpac.me/results/e8847279-ea51-41a2-b2ad-82cfdded44f6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tufik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/67758/

Comments