MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b
SHA3-384 hash: fb888084de49485918cf33cf709e8304225894de2a0c5ba965dffca1bfd808a3cef9010bbeb4f72983974541448e53dd
SHA1 hash: 283751ab2e637b9d2dd0e8d688d6288dfd44d739
MD5 hash: 0491ad4524628ad65c41ea1bcb3ff2a1
humanhash: nebraska-lactose-fish-foxtrot
File name:PO-789906504.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:694'784 bytes
First seen:2020-12-03 07:02:31 UTC
Last seen:2020-12-03 09:13:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash e16bf585377a2c04ffc8f29a891831dc (5 x AgentTesla, 1 x Formbook)
ssdeep 12288:u93lQgykrZ7bd8LtaZtE6/OoF59VLUPXdnJx7jPuiQO:uHAtaZtpGy5UPXdnP
Threatray 15 similar samples on MalwareBazaar
TLSH 4BE4F100B581803BD4B305B209BD6B25A67DFD2147646ECB73CC8A1D5B796E17F32B62
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106488/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.60747.11010.20084.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554285
Signature
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326241 Sample: PO-789906504.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 25 g.msn.com 2->25 33 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->33 35 Found malware configuration 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 2 other signatures 2->39 9 PO-789906504.exe 2->9         started        signatures3 process4 signatures5 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->51 12 PO-789906504.exe 9->12         started        14 PO-789906504.exe 9->14         started        process6 process7 16 PO-789906504.exe 12->16         started        19 PO-789906504.exe 12->19         started        signatures8 31 Maps a DLL or memory area into another process 16->31 21 PO-789906504.exe 2 16->21         started        process9 dnsIp10 27 smtp.kpce-co.com 21->27 29 us2.smtp.mailhostbox.com 208.91.199.224, 49716, 587 PUBLIC-DOMAIN-REGISTRYUS United States 21->29 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 21->41 43 Tries to steal Mail credentials (via file access) 21->43 45 Tries to harvest and steal ftp login credentials 21->45 47 Tries to harvest and steal browser information (history, passwords, etc) 21->47 signatures11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b/
Threat name:
Win32.Trojan.EmotetAE
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 04:16:22 UTC
File Type:
PE (Exe)
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ii2wjj5z3pfyuw4bukzdgiuhfb7dlfzf57qev6rny7sdovoapgnq._file
Verdict:
unknown
Similar samples:
55262ba4506d187b228d575d7740803b4930a9392f4d90f2cdfc4db1dba987e1
AgentTesla
5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae
AgentTesla
5d24a0a0b3827fc646d7f7da98a5db2a8d76bba9761b4c91ab968cc67ceaf194
AgentTesla
6093b99ac39503f585b6a7ed7e20727c24a784a7a93c181596209054a561ad71
AgentTesla
69710a605be0e7ffded4a0156f7823e29dc0f1b2ceff785465d3fd094802de07
AgentTesla
89e36f73f667df03dd636f766a9b127c9c0b307fc0ae3149b2d1ff6f34c84b09
AgentTesla
a922d6a65dd738d1c715a254a2e257b1c35b006052ee426f634558f11db91d5b
AgentTesla
ab612a8fe6f624d7d590420fc47a96b99aaa0097d4d78f438fee11cd41552305
AgentTesla
c9c6ab014615422f9d6def268a9c0c17172882d4319c3261c66341bf31ee1ba8
AgentTesla
efcd8b4258174d99d21ed0be8a946ca98787e58543194208301af6189ae39f84
AgentTesla
+ 5 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201203-zch9jsxcla/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b
MD5 hash:
0491ad4524628ad65c41ea1bcb3ff2a1
SHA1 hash:
283751ab2e637b9d2dd0e8d688d6288dfd44d739
Link:
https://www.unpac.me/results/7c742b68-f44f-4acc-a328-3096ccf81f0f/
SH256 hash:
c1b4bbe724f0870286939fdb3cf1b65945039c31ba3f7a2702b7125a9ff4634d
MD5 hash:
7d9634be72fadead7d4c5519ca0a8ffd
SHA1 hash:
014042c659822fca2bc99f3a742a44dc13ce5136
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/7c742b68-f44f-4acc-a328-3096ccf81f0f/
SH256 hash:
c864f7e965347a3e92562ed351a55fe8ed8b0f7ab855ed83f9ee1969706c39ce
MD5 hash:
8f58f0d783ed856dbf3c439f87dc84c4
SHA1 hash:
7f5db913fa4a7f4ef9cd686cdea24e386148f6a6
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/7c742b68-f44f-4acc-a328-3096ccf81f0f/
Parent samples :
b2a4c9e1fbafc010c19f17103ed3454b96fd23e047a6a03cb01ecdc9f026709e
1a903efdee44ad5501599ad3e80b61dbe73bf605b683be5c53df78b628c63d85
07724738dcb86f8bbcb08246ffd05e44bca0fd761f28d5a1eada30851871cc31
cfb435bdd8d3e8b95c5c6ca82fd51b7f4369746ca664ff6d660d0715b58f07da
632b11a6a0e78b8a04e6588f3809a0077a2de039dcf9745e2816e9ff12b1adf2
e13107c64261638ea91a7c3df4d1eec7153e1eab218b10fd027ddb0f52b95418
423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 199db33087a7aabeaa3a748dcc82abb6ba00ae68010096783a5431d52ebdf4ec

AgentTesla

Executable exe 423564a7b9dbcb8a5b81a2b2332287287e359725efe04afa2dc7e43755c0799b

(this sample)

  
Dropped by
MD5 f38030b141c35992d35f790c20cfd3be
  
Dropped by
SHA256 199db33087a7aabeaa3a748dcc82abb6ba00ae68010096783a5431d52ebdf4ec
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106488/

Comments