MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 392faa37063ee6a619a3091d1d7a27b8c0d86d35a7f1594720822f8a94ce9d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	392faa37063ee6a619a3091d1d7a27b8c0d86d35a7f1594720822f8a94ce9d1b
SHA3-384 hash:	6922997f42922b4a8eeccf956e9e07bae8bcd85ada035bd76688898adf5583abeecb45075d4e0fb6fe868639f205cd9c
SHA1 hash:	6669cd006c13bbf3927063ffe5701bad1b698c3f
MD5 hash:	b3af901e962e7693a2be0ffd2c360538
humanhash:	whiskey-green-arizona-tennessee
File name:	Transfer Forms.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'110'016 bytes
First seen:	2020-07-30 07:06:00 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'634 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	24576:6HUmUUEkNR9wX4tpJ2S7rZd1u5qVlHNjwTslX7XA:oUm6XEJ7UqVltfl8
Threatray	10'699 similar samples on MalwareBazaar
TLSH	C035D0057A50E56EC67F8F72D6894800DFF4B8AE8607E38F74C573AF29CB36A9406161
Reporter	abuse_ch
Tags:	AgentTesla Endurance scr

abuse_ch

Malspam distributing AgentTesla:

HELO: 162-144-100-85.unifiedlayer.com
Sending IP: 162.144.38.36
From: PAY-U <enquiry@oxy99.in>
Reply-To: PAY-U <account@payu.com>
Subject: INCORRECT BANK DETAILS FOR PAYMENT
Attachment: Transfer Forms.img (contains "Transfer Forms.scr")

AgentTesla SMTP exfil server:
mail.northwestpowdercoating.co.uk:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/35319/

Detection(s):

SecuriteInfo.com.Backdoor.MSIL.atah.2859.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/403219

Signature

Found malware configuration

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/392faa37063ee6a619a3091d1d7a27b8c0d86d35a7f1594720822f8a94ce9d1b/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-30 07:07:14 UTC

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=hex2unygh3tkmgndbeor26rhxdanq3jvu7yvsrzaqixyvfgotunq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

23b93bf59a03f210eb7b4f0054944dc1b0e09a8ac1fac00c5c4b30dc4b3263e5

AgentTesla

8470a2e93ae48abb1b987d9927277eb7a3bde99fe0d048274f839cc25aa3aa95

AgentTesla

a328e8d5a2b4df219aad313546991fcd37a995373320a84d32ee33f8a5cf867d

AgentTesla

a718e6c2ed2f55f15dd9da00dace39eff7a8c277418e2dbf5a3cd17ee1ab5c48

AgentTesla

aa8c8d0ec55c08d2adb88281098498992f2c415464626548c882cf7b59c54ed7

AgentTesla

c62d74e427c8f171115756dc18267a987b29b7d289e34daca91027bc87a5c6c9

AgentTesla

d5434b833a6b29c1f83aee2a0c8c5584467e495e452f7e6e676235b7e4870033

AgentTesla

d8bc45dfe42dc6266ac8e05d9e00206c3c4997dd2c287bb5ef1d4bb8862b8d02

AgentTesla

f8489030f3c79639a56320cdd06179b2f3cf280824cd80d8b3c333c8aabd3d9f

AgentTesla

+ 10'689 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200730-mhw6bh88x2/

Behaviour

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads user/profile data of local email clients

Reads data files stored by FTP clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/392faa37063ee6a619a3091d1d7a27b8c0d86d35a7f1594720822f8a94ce9d1b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar