MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
SHA3-384 hash: eb21e780b99a097a2ba7c1e42260a9fdce30d6f7213d15eb07fc36c9ddcf64b039ca513edf4ba3488d5b0ead00664d4c
SHA1 hash: 14f77334b3bca11e07f52408c1d216b5af139a5c
MD5 hash: 77f95dce9fa89e5c94feec855efcb1da
humanhash: lake-colorado-florida-beryllium
File name:Ninja_Project.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'241'024 bytes
First seen:2020-10-05 03:09:10 UTC
Last seen:2020-10-05 03:48:51 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 24576:TksQWhHGhYIDTTQL86WFB3nblGNYT0+5FwxoMUnLkuokTHyh3LpcybuSQEpqXAvF:gRDfQLT4pG+T0+57nLkuokC7VbuStpn
Threatray 13 similar samples on MalwareBazaar
TLSH 38A512383354C9EBC6BC44B6C284C1B157768C17A256EB276DC2BDAF7AD03A5AD0305B
Reporter vm001cn
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
273
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Ispy
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68033/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Creating a file in the %AppData% subdirectories
Launching a process
Running batch commands
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Creating a file
Creating a window
Launching the process to change network settings
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Creating a process from a recently created file
Launching the default Windows debugger (dwwin.exe)
Reading critical registry keys
DNS request
Delayed writing of the file
Sending a custom TCP request
Sending an HTTP GET request
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Unauthorized injection to a recently created process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480974
Signature
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Contains functionality to hide user accounts
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Performs a network lookup / discovery via ARP
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292927 Sample: Ninja_Project.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 78 api.auth.gg 2->78 94 Multi AV Scanner detection for domain / URL 2->94 96 Malicious sample detected (through community Yara rule) 2->96 98 Antivirus detection for dropped file 2->98 100 12 other signatures 2->100 10 Ninja_Project.exe 11 2->10         started        14 Chrome updaters.exe 2->14         started        signatures3 process4 file5 64 C:\Users\user\Desktop\keys.util, PE32 10->64 dropped 66 C:\Users\user\AppData\...\Chrome updaters.exe, PE32 10->66 dropped 68 C:\...\Chrome updaters.exe:Zone.Identifier, ASCII 10->68 dropped 70 C:\Users\user\...70inja_Project.exe.log, ASCII 10->70 dropped 110 Drops PE files to the startup folder 10->110 112 Writes to foreign memory regions 10->112 114 Injects a PE file into a foreign processes 10->114 16 MSBuild.exe 15 25 10->16         started        20 cmd.exe 10->20         started        22 ctfmom.exe 10->22         started        72 C:\Users\user\AppData\Roaming\...\ctfmom.exe, PE32 14->72 dropped 74 C:\Users\user\AppData\Roaming\...\keys.util, PE32 14->74 dropped 24 MSBuild.exe 14->24         started        signatures6 process7 dnsIp8 76 ip-api.com 208.95.112.1, 49731, 49744, 80 TUT-ASUS United States 16->76 84 Tries to steal Mail credentials (via file access) 16->84 86 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->86 88 Tries to harvest and steal WLAN passwords 16->88 26 cmd.exe 1 16->26         started        29 cmd.exe 2 16->29         started        31 WerFault.exe 23 9 16->31         started        34 keys.util 20->34         started        36 conhost.exe 20->36         started        90 Multi AV Scanner detection for dropped file 22->90 38 WerFault.exe 22->38         started        92 Tries to harvest and steal browser information (history, passwords, etc) 24->92 40 cmd.exe 24->40         started        42 cmd.exe 24->42         started        signatures9 process10 dnsIp11 102 Tries to harvest and steal WLAN passwords 26->102 44 netsh.exe 3 26->44         started        46 conhost.exe 26->46         started        58 2 other processes 26->58 48 tasklist.exe 1 29->48         started        50 conhost.exe 29->50         started        80 192.168.2.1 unknown unknown 31->80 82 api.auth.gg 104.31.70.150, 443, 49737, 49747 CLOUDFLARENETUS United States 34->82 104 Antivirus detection for dropped file 34->104 106 Machine Learning detection for dropped file 34->106 108 Performs a network lookup / discovery via ARP 34->108 52 ARP.EXE 34->52         started        54 WerFault.exe 34->54         started        60 4 other processes 40->60 56 conhost.exe 42->56         started        signatures12 process13 process14 62 conhost.exe 52->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1/
Threat name:
Win32.Ransomware.OsnoCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 03:11:21 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ho47kviuciqhdasdeaeramhvc6ribhaubwdhsetvan2wtmtpkpyq._file
Verdict:
unknown
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
AgentTesla
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
AgentTesla
204d3c9b626e4bbac7012901f30592bf7408c66edb80ce1dda55f6d9421cb7f8
AgentTesla
5073dae4db5d373083392acc876b2cee4a9c0a06001be580dd5fbca8f6124f68
AgentTesla
50b73c4132c9240c404a85b5d2843436fe8d5022a7104b5faeab827f558c52e4
AgentTesla
88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
AgentTesla
c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
AgentTesla
c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0
AgentTesla
ccdf6799e7fceaa24cdaaf41ba79fdafaf04a2a8e64dd9bf40cf3ddce9345adf
AgentTesla
f902d33ba5996db886cd1f33e62759cd13605c1c825e3214032f92c4fed730b8
AgentTesla
+ 3 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201005-neq8re58aa/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
ServiceHost packer
AgentTesla
Unpacked files
SH256 hash:
3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
MD5 hash:
77f95dce9fa89e5c94feec855efcb1da
SHA1 hash:
14f77334b3bca11e07f52408c1d216b5af139a5c
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
6d04f0070db7e726f42e97dd1952783554db7131f7650922ed21a20d6fd96347
MD5 hash:
416e5ec391d3be1e68a15a6a832a5fc9
SHA1 hash:
509e5a013b5ee6bfa5b0b8a533493384e65c6443
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
6b1e618ba558647c94e3e31f94f9f6509920479fb4c365eb81d01ebccb5440fb
MD5 hash:
b4259e6ab594893a8e5ca20c7d0ae7ed
SHA1 hash:
04e0659eaf1457e40da910a52b9e56d61866be20
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
6b50dffc03fa2eb27a7cfb43c0e9fc31c95411e2193a564eb6b6578e28155839
MD5 hash:
21f6685dd6b90f73bf9586acbc41f408
SHA1 hash:
33fcfb9cb7c7e698c1c7da27174ded1e00cfdf0a
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
1412516d5f9e43e9c797bbeb3872ef2ff0f68cf51d66288cfd257bb0b56a0e54
MD5 hash:
e9e6a953fb7c0833f0ed394c69a3654f
SHA1 hash:
ad3a99496b380b5aa25cda420773dedf9efe9af8
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
e3f9ac02690808ee8e82aeb07cb5c2a5bea0ec6b704f12749e6e1de14b996b55
MD5 hash:
80a1256052a8c22d8417f99945170b82
SHA1 hash:
d9a167b2a7e3611717b00a037686203935900297
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
73acb00e0c699a38b3fe1ec2d3518a41f9cad72d27798ea6f579f9dceaa6b063
MD5 hash:
8bd6f3090ec7980acc18bba410f12725
SHA1 hash:
e2f0a1261eb438843f40512e7409bc79209e9aa0
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
SH256 hash:
4fd221c89030a1fe1c2396a957990693ec8e6330ed79c63bde24abdbc0b8b166
MD5 hash:
36ef15b2b87da1766b4853ec8756d2fc
SHA1 hash:
f1f38e51d52f16482e18e770fd727fad611224f1
Link:
https://www.unpac.me/results/00f7bdd2-dbfd-4ea0-a484-189d8402da58/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68033/

Comments