MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c
SHA3-384 hash: 62150879b7e82e4e672d1a5ec9de2a425dd1f1f2e9f40cf535dcd2d4c62139dac1f4bf3ee7f5c4e7ef4089e0207f39f8
SHA1 hash: dd5fcbda703cb433b1e7baf32dfc75eafa589cea
MD5 hash: 79a2ebb57d165bb36ef51d926ef4b731
humanhash: princess-tennessee-asparagus-four
File name:Order12567.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:628'736 bytes
First seen:2020-10-22 06:12:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:wkP5BwQROZ7nn5cO2J/528sp+q43yvhANn5:p5BqlcO2528sMZ+Un5
Threatray 774 similar samples on MalwareBazaar
TLSH B2D4F13A6240BF21F47D0A77C8D5A221E3BBDC02AE43D56A58F035ADACB7BE94551307
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: mayur.lad@timetechnoplast.com
Subject: RE: Please Urgent Request New Order12567
Attachment: Order12567.rar (contains "Order12567.exe")

AgentTesla SMTP exfil server:
smtp.hydrofllexpipes.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/74452/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.30384.13086.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/506603
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c/
Threat name:
ByteCode-MSIL.Ransomware.TeslaCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 16:28:41 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=g63nmvzh7ch6g2cj57drrzk4omlnv4j6nzzo764w5nyvx7bcrfga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22e8a783296dcabf49cb2c9b5f5a05b1cf670591e71130b08424a450aa54c419
AgentTesla
2c4cd5dc3ad1f238e7e186c4ab0fd34c2fb2215c7aadbd85f45850a6dffcde14
AgentTesla
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425
AgentTesla
94f225b0d4018228ee1c69317cd8f369f3c343378145e41cdf939d4dd30b988d
AgentTesla
9693d78b6cb6fcdb5e129c278d307d7fa6bef2fff302498909640051f22b730e
AgentTesla
ba495069a1b601a12f32f6e346dfe60958f73caa0048fb702e357fee17d58d54
AgentTesla
bea5a2a0bade8802b63d59a653b7140792acdfa1fd3f92ccafe9bb592a94882d
AgentTesla
e1e0a4fba3b1dc2e64ac088f5839fe75832cd9a824fd9f0f5e043821d9d18b0c
AgentTesla
+ 764 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201022-bfg5eddg7n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
7e62ca0d74775fc4d793cd76bf137bfc84ae8d9bf9e2f627a68b8a146ecbdde5
MD5 hash:
eabb98c26b0c49cd849bd50b961179c0
SHA1 hash:
2065a36d9f63ad504702940fb456f9bd6517aacd
Link:
https://www.unpac.me/results/f818c359-e7d9-4ef9-8e18-6c1d8edc778f/
SH256 hash:
ae8e20ac65ae3ecbfaa2fc357964639f7fe8d5d14e6f7bfe6c418c580f527093
MD5 hash:
8b896bc447f62523cc6e133007e0b89a
SHA1 hash:
21398446a4d2d0e0020bacfd7aa10dca26adb3bf
Link:
https://www.unpac.me/results/f818c359-e7d9-4ef9-8e18-6c1d8edc778f/
SH256 hash:
d89c489979aeb63595f4592c5a1d16a695d527b4f75c644306168ccf8b2c446d
MD5 hash:
4e0891b419bf94346e5af342a9930ff6
SHA1 hash:
8bdc8aab4ebd40ad87af189a135c9e3abb2fdce7
Link:
https://www.unpac.me/results/f818c359-e7d9-4ef9-8e18-6c1d8edc778f/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/f818c359-e7d9-4ef9-8e18-6c1d8edc778f/
SH256 hash:
37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c
MD5 hash:
79a2ebb57d165bb36ef51d926ef4b731
SHA1 hash:
dd5fcbda703cb433b1e7baf32dfc75eafa589cea
Link:
https://www.unpac.me/results/f818c359-e7d9-4ef9-8e18-6c1d8edc778f/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1783b20c28af10fd0af9db2a60d4bbecc744cbb5b1134bb966674097367ba4a3

AgentTesla

Executable exe 37b6d65727f88fe36849efc718e55c7316daf13e6e72effb96eb715bfc22894c

(this sample)

  
Dropped by
MD5 c7f4f8100b8a1bcd217e3f894dfb0e29
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74452/
  
Dropped by
SHA256 1783b20c28af10fd0af9db2a60d4bbecc744cbb5b1134bb966674097367ba4a3

Comments