MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 44b3d6cb7298f98b7efad49bfedcadfaf59cc90b11e4d307b5a07490c49eeeaa. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 44b3d6cb7298f98b7efad49bfedcadfaf59cc90b11e4d307b5a07490c49eeeaa
SHA3-384 hash: 10d57f5f6d8f89ba42e68eafa9dab093ed747e18d22aa3b3f985f925c413a4c198cbc6816228087f9566ff1ecc0023ea
SHA1 hash: 359c8e00d16b29a19d4b6cc1fd6c9c21becd147d
MD5 hash: 5488c5dd9beeb9c655a2a46e4583b354
humanhash: king-sad-mike-violet
File name:transcach.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'110'766 bytes
First seen:2021-01-09 17:23:57 UTC
Last seen:2021-01-09 18:53:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ae1a3b657fab2502fa4af9551805bcb6 (2 x AgentTesla, 1 x RevCodeRAT)
ssdeep 24576:zZ+rL2ECnuepCL4hDUffaRoXuyT9SJsAFt:ATSUJXu+9SpFt
Threatray 10'765 similar samples on MalwareBazaar
TLSH 1035E717398CFEC2D78A48F285474D9C11B0AC31E8194A8FA2C37935EF2596B14FF6A5
Reporter abuse_ch
Tags:AgentTesla exe Outlook


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: EUR06-DB8-obe.outbound.protection.outlook.com
Sending IP: 40.92.51.70
From: Mélodie Guiat <feno_u201@outlook.fr>
Subject: Re: Re : Re : Re : A vendre Camion VL 2 chevaux Remault Master 150 CV DCI 4500 €
Attachment: transcach.zip (contains "transcach.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
304
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
transcach.exe
Verdict:
Malicious activity
Analysis date:
2021-01-09 17:25:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/914a6ca8-b269-4d7d-9aff-36b4bce62fd0

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/111128/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.33614.30205.27626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% subdirectories
Launching a process
Using the Windows Management Instrumentation requests
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/577332
Signature
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 337717 Sample: transcach.exe Startdate: 09/01/2021 Architecture: WINDOWS Score: 84 25 smtp.gmail.com 2->25 27 prda.aadg.msidentity.com 2->27 43 Found malware configuration 2->43 45 Yara detected AgentTesla 2->45 47 C2 URLs / IPs found in malware configuration 2->47 49 Machine Learning detection for sample 2->49 7 Player.exe.exe 2->7         started        10 Player.exe.exe 2->10         started        12 transcach.exe 1 2 2->12         started        signatures3 process4 file5 51 Writes to foreign memory regions 7->51 53 Allocates memory in foreign processes 7->53 55 Sample uses process hollowing technique 7->55 15 RegSvcs.exe 9 7->15         started        57 Machine Learning detection for dropped file 10->57 59 Contains functionality to inject code into remote processes 10->59 61 Injects a PE file into a foreign processes 10->61 19 RegSvcs.exe 9 10->19         started        23 C:\Users\user\AppData\...\Player.exe.exe, PE32 12->23 dropped 21 RegSvcs.exe 9 12->21         started        signatures6 process7 dnsIp8 31 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->31 33 Tries to steal Mail credentials (via file access) 15->33 35 Tries to harvest and steal ftp login credentials 15->35 37 Tries to harvest and steal browser information (history, passwords, etc) 15->37 29 smtp.gmail.com 172.253.120.109, 49730, 49731, 49732 GOOGLEUS United States 21->29 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->39 41 Installs a global keyboard hook 21->41 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/44b3d6cb7298f98b7efad49bfedcadfaf59cc90b11e4d307b5a07490c49eeeaa/
Threat name:
Win32.Trojan.Symmi
Create hunting rule
Status:
Malicious
First seen:
2021-01-09 17:24:09 UTC
AV detection:
14 of 46 (30.43%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=isz5ns3std4yw7x22sn75xfn7l2zzsilchsngb5vub2jbre652va._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0de02fe1d36c7dc18f12a9eb8c398158c474699f8471177b2b2d190b6c0ce3c5
AgentTesla
2f4ed6ffb6539e4fd08da57d1d3577180598316972c284d344fb84c1c601a129
AgentTesla
461a6b0785f4a709fbc9a6aad7194f37f54adcf99e52a47d592761c7a1f29b03
AgentTesla
4f4da7ed9a3d252b36eb7231d63b5e05eae88bec7edaa044fb5590e49d8db950
AgentTesla
502a586c38cb1dd1958f5a201aedccc8d6188cc7944f0d17f31eddabccc4d6c8
AgentTesla
636ed47033dc0066e0e169d4be9d01b56886b255cd5d351b481e35200f507b43
AgentTesla
73b83d70f24909aea7920a86029b43198979d7e31ab768619371e12fc7399f93
AgentTesla
8f004bc9aec06467c6d02274e540d990f49f936a089fe46c651fe80b38b5a4cd
AgentTesla
af3de18f3b36685688f53991f1c4bd26d2cf0a36f7aeccaa0a09088b9c2e9461
AgentTesla
f13afdd20e5dbe1fe6bc73b81b8c91604d125a1833b6a14fb9efbeb575ec73ee
AgentTesla
+ 10'755 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210109-mmkwxwwnt2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
44b3d6cb7298f98b7efad49bfedcadfaf59cc90b11e4d307b5a07490c49eeeaa
MD5 hash:
5488c5dd9beeb9c655a2a46e4583b354
SHA1 hash:
359c8e00d16b29a19d4b6cc1fd6c9c21becd147d
Link:
https://www.unpac.me/results/57cf2fd7-1c0c-425d-845b-63406d3e17c3/
SH256 hash:
e1298aa27518454331f3d6ddb92d6905d0716b94c119ed841525640422da8403
MD5 hash:
b73cc036c472b9b9dd17ba217eb3c654
SHA1 hash:
83d0f4e4467f7e4e4912a1a1a528ee08a32ba339
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/57cf2fd7-1c0c-425d-845b-63406d3e17c3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/44b3d6cb7298f98b7efad49bfedcadfaf59cc90b11e4d307b5a07490c49eeeaa

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 97f8bfe1d1d5ffd9e6ca5cf8bc0734c1c8a506180a12b9dee50d39ba42d10458

AgentTesla

Executable exe 44b3d6cb7298f98b7efad49bfedcadfaf59cc90b11e4d307b5a07490c49eeeaa

(this sample)

  
Dropped by
MD5 93656d138c068e1d84fc52015888a175
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 97f8bfe1d1d5ffd9e6ca5cf8bc0734c1c8a506180a12b9dee50d39ba42d10458
Cape
Cape
https://www.capesandbox.com/analysis/111128/

Comments