MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290
SHA3-384 hash: 583c5e655a7c5227fbcbbef7b44caf969105fa08d3c99fe699f49dd278d857284526f807fdd9189e54384a204289410c
SHA1 hash: d85889c2df293cf2e2bcc08951e28ce0431447c6
MD5 hash: 265f33b1570f9ec0714800e7306ec7c1
humanhash: william-idaho-don-zulu
File name:#DEC-8494004.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'113'464 bytes
First seen:2020-10-20 10:37:22 UTC
Last seen:2020-10-25 22:33:22 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 24576:OUhfYyNQiyPflGP1hNpxG5GzGUG5GYGtGEGiGhGiG9GAGtGhGEGYG5GnGhGAGSGF:NhfYy9yP9Gb
Threatray 663 similar samples on MalwareBazaar
TLSH 3135831B34CEDD251BECF7B98E81846802F4A4634170DB6E24CB87F4C3653566AC6ADB
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/497526
Signature
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300960 Sample: #DEC-8494004.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 69 Multi AV Scanner detection for dropped file 2->69 71 Multi AV Scanner detection for submitted file 2->71 73 Yara detected AgentTesla 2->73 75 6 other signatures 2->75 7 #DEC-8494004.exe 24 6 2->7         started        12 #DEC-8494004.exe 2->12         started        14 #DEC-8494004.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 63 pastebin.com 104.23.99.190, 443, 49717, 49740 CLOUDFLARENETUS United States 7->63 65 192.168.2.1 unknown unknown 7->65 59 C:\Users\user\AppData\...\#DEC-8494004.exe, PE32 7->59 dropped 61 C:\Users\...\#DEC-8494004.exe:Zone.Identifier, ASCII 7->61 dropped 77 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->77 79 Creates an undocumented autostart registry key 7->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->81 83 Drops PE files to the startup folder 7->83 18 WerFault.exe 7->18         started        21 powershell.exe 24 7->21         started        23 powershell.exe 25 7->23         started        31 3 other processes 7->31 85 Creates autostart registry keys with suspicious names 12->85 87 Creates multiple autostart registry keys 12->87 89 Adds a directory exclusion to Windows Defender 12->89 33 2 other processes 12->33 67 104.23.98.190, 443, 49726 CLOUDFLARENETUS United States 14->67 91 Hides threads from debuggers 14->91 93 Injects a PE file into a foreign processes 14->93 25 WerFault.exe 14->25         started        27 powershell.exe 14->27         started        29 powershell.exe 14->29         started        35 3 other processes 14->35 file5 signatures6 process7 file8 55 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 18->55 dropped 37 conhost.exe 21->37         started        39 conhost.exe 21->39         started        41 conhost.exe 23->41         started        57 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 25->57 dropped 43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 conhost.exe 31->49         started        51 conhost.exe 33->51         started        53 conhost.exe 35->53         started        process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 08:18:14 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ilzybjdtb7v7pyl6xv7gcc5a64t5mmsptrudc7pxbqhaxpv5skia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19cb1d89fb670dd31ceae6e0c41ffcf47767f6b3779804841f7aaf75adcd028f
AgentTesla
295cd8c1062fecbaf17dd0095897fbdca561bf28616a08190a47adfb68e7c10d
AgentTesla
38d67003a3e33b0ff622758a04b631ac24d0f55f04c007834fd61bf8c2e9074d
AgentTesla
419866e243e8c421e9ddaa512c0aaabb4454b57e684855d23576daa570a58957
AgentTesla
67e8fcfa65a48b5ef7288e91ac8ddab1180cf33150471357485511509955413c
AgentTesla
764c115297d49fb85541c3cc22d8434745ed160094221ef22bfc513398d2ace6
AgentTesla
76e9f23704658774f7a6e20425ab60b0575ba40ab95b5ec670b5601a7c3ccb19
AgentTesla
98f16bf7fd0d32ebf300230c3992712556f0bebc91678c4a6da74f7a900be68b
AgentTesla
bae353be3d64c66c76ca33280e436b02460497265e503b772db81c2e84971cba
AgentTesla
c327e8c358bf3cdb8a0d7b76513eec318f7fc652c286693f5f71ca285fec1a8c
AgentTesla
+ 653 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware evasion trojan persistence keylogger stealer family:agenttesla
Link:
https://tria.ge/reports/201020-tc71fl4m7s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290
MD5 hash:
265f33b1570f9ec0714800e7306ec7c1
SHA1 hash:
d85889c2df293cf2e2bcc08951e28ce0431447c6
Link:
https://www.unpac.me/results/46f21693-ecf9-4bc7-abff-8eef4c9b30dd/
SH256 hash:
37d418de4e71ca1e9a1f89aaf5211b64f66fb95b5dce2804c75e2475c27a04ca
MD5 hash:
985520882d1b57852ab08823b6695f20
SHA1 hash:
41c79737e5ac681ffd798c66b9db324cd60206ff
Link:
https://www.unpac.me/results/46f21693-ecf9-4bc7-abff-8eef4c9b30dd/
SH256 hash:
d3a150ef09b60599d59a2143b5828b696b1769cd1848de16a16619d11e203676
MD5 hash:
908fca3a9fa6b0b8b97e1720a6ee9f64
SHA1 hash:
a8036162814ebc69a79efc31a16bc92b0dc0e0d9
Link:
https://www.unpac.me/results/46f21693-ecf9-4bc7-abff-8eef4c9b30dd/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 326cba753180d22043184b3fd1136bba7eb41e934147692dd60383d4b1dceb66

AgentTesla

Executable exe 42f380a4730febf7e17ebd7e610ba0f727d6324f9c68317df70c0e0bbebd9290

(this sample)

  
Dropped by
MD5 d67bb172f2c6675e5bf13110f1367ea2
  
Dropped by
SHA256 326cba753180d22043184b3fd1136bba7eb41e934147692dd60383d4b1dceb66
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73450/

Comments