MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3
SHA3-384 hash: 53252337541388d4f40851c02106186a0f85e468298410a212b5fe5dd55f1b2f641ae142de45c9a7fc6b778521299a84
SHA1 hash: 099c84c126a4810b352b70076ef8124168b8309a
MD5 hash: 5872202187219323bb91fe115e8682c7
humanhash: march-jupiter-fifteen-mobile
File name:PO#43362020.PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'186'304 bytes
First seen:2020-10-12 13:57:30 UTC
Last seen:2020-10-12 14:53:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 24576:WlgI8/f/e0ySr7osMk2OZfj7zk6KN9ykKb6nnjqKoe:WlgIU/e0xr7A8xj7zk5NLvjqKoe
Threatray 9'487 similar samples on MalwareBazaar
TLSH 8745E05336908B88DE7E87F66216404023F5AC7FA51CE20D2FC526EB5EF5F924911B2B
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70098/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42621.8490.28957.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488479
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296679 Sample: PO#43362020.PDF.exe Startdate: 12/10/2020 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Sigma detected: Scheduled temp file as task from temp location 2->44 46 10 other signatures 2->46 7 PO#43362020.PDF.exe 8 2->7         started        11 zvVbs.exe 7 2->11         started        process3 file4 28 C:\Users\user\AppData\...\cdmpigCpSHvA.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\Local\...\tmp6561.tmp, XML 7->30 dropped 32 C:\Users\user\...\PO#43362020.PDF.exe.log, ASCII 7->32 dropped 48 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->48 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->54 13 PO#43362020.PDF.exe 2 7 7->13         started        18 schtasks.exe 1 7->18         started        56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 60 Injects a PE file into a foreign processes 11->60 20 zvVbs.exe 4 11->20         started        22 schtasks.exe 1 11->22         started        signatures5 process6 dnsIp7 38 iberweb25a.ibername.com 188.93.230.198, 49736, 49747, 49749 CLARANET-ASClaraNETLTDGB Portugal 13->38 34 C:\Users\user\AppData\Roaming\...\zvVbs.exe, PE32 13->34 dropped 36 C:\Users\user\...\zvVbs.exe:Zone.Identifier, ASCII 13->36 dropped 62 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->62 64 Moves itself to temp directory 13->64 66 Tries to steal Mail credentials (via file access) 13->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 13->68 24 conhost.exe 18->24         started        70 Tries to harvest and steal ftp login credentials 20->70 72 Tries to harvest and steal browser information (history, passwords, etc) 20->72 74 Installs a global keyboard hook 20->74 26 conhost.exe 22->26         started        file8 signatures9 process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-10-12 01:38:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
47
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=hcguskqgjxt7txuzjjq6cjrp5kws73cjdk43k4vvz2dxcpin2hrq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
042e32eb8970e6dd8e767bb75bc25b3325c314783b9c3bb365727584dba4d918
AgentTesla
054b7c5d38a00ecfc40168d4dc21610139c5ab6a46d2a0e851ef100397d5e5e9
AgentTesla
1fb23de8da95ef200663ec6bffe9a439b6c39927559b5e103a488cf54355ebad
AgentTesla
35053de930782e8179e3721c8927c499b71dc9926db872b722fe8b5ec5b300b2
AgentTesla
4255ae6b31d6068463b663c1871ac8cee3461b0d3fbf642f96cf9a3e8817803c
AgentTesla
792259d9e6e262d17cc54f4b43c8e95cd0be1e533f5e5032a5cdefb9f899a6a2
AgentTesla
b0f6052c071380b0413ba33ab5f888442bba649614a7102ade644d7195487bed
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
f4b7759a1a42ebd89a61ed697ca26661dff56719bbf254b7b1f400f3cf4487d1
AgentTesla
f638e03e33b24d736db2873b3dee14d8312731d040adb93265b99e21b94b3978
AgentTesla
+ 9'477 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer evasion spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/201012-31xkbbx3b2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3
MD5 hash:
5872202187219323bb91fe115e8682c7
SHA1 hash:
099c84c126a4810b352b70076ef8124168b8309a
Link:
https://www.unpac.me/results/d39fd5da-9630-405f-8d92-fd9e62a8504b/
SH256 hash:
27ab6250efc21ec93aed1c336a6982293755a8a0fc9d82cb91d0b92e498900be
MD5 hash:
97d2a1fcdd66528ad4535aebaf130150
SHA1 hash:
194c99154514e8a734c9ff13499e52719fac908e
Link:
https://www.unpac.me/results/d39fd5da-9630-405f-8d92-fd9e62a8504b/
SH256 hash:
607f04646c9f16f7c23fa69d4b8f660fc7c44d40e4f73a0c70a2b315debdaa8b
MD5 hash:
a90baadadf904455325f7bc787185c7b
SHA1 hash:
7d833bb819d638008c98be469b05db2feaf201cd
Link:
https://www.unpac.me/results/d39fd5da-9630-405f-8d92-fd9e62a8504b/
SH256 hash:
53beee864a9887bb1913792342774b6a157c62faf9931b36427504cb3d6b1558
MD5 hash:
eeeb3a75e266c00b5af4860775c94c45
SHA1 hash:
c668008b58119027b00530a67c6c21bf8d767b23
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/d39fd5da-9630-405f-8d92-fd9e62a8504b/
Parent samples :
388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3
024598d7c004847840796cfd03af4e03701b9653adf305f2483cfaaab5c47355
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/388d492a064de7f9de994a61e1262feaad2fec491ab9b572b5ce87713d0dd1e3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/70098/

Comments