MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
SHA3-384 hash: 15a3d95689764cf4167a8809ea844fbb73bbc4a764ec2ca3166ca4ab95ef23ae76369c0d196500d86800e15eb1c1558a
SHA1 hash: c69bfb52c7722d8f690e76423d74663e89e7e6c8
MD5 hash: e1d94bf8e619597e04c5cd3d8a76821e
humanhash: wolfram-saturn-cardinal-alabama
File name:CV_PDF_____________.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:346'112 bytes
First seen:2020-10-05 12:11:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:UTJE+wg1BGJOui37MdVYr4SMug99reRozZVkhuvYq2hwvOctjvlORcUyD:UCRG9gIUSfMcozDkhuv9vOG0RcVD
Threatray 309 similar samples on MalwareBazaar
TLSH 3F746D697789E7B0D3BFAE74205760D24112F5C21F56721EAF4B3D2A09D298D087AFE0
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: nsb.helim.tg
Sending IP: 41.207.178.38
From: Anita Ruoxi Zhang <stea-commercial@helim.tg>
Subject: CV
Attachment: CV_PDF_____________.iso (contains "CV_PDF_____________.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68203/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Creating a file
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481436
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293183 Sample: CV_PDF_____________.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 62 Found malware configuration 2->62 64 Antivirus detection for dropped file 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 5 other signatures 2->68 8 CV_PDF_____________.exe 12 2->8         started        12 ExQTKw.exe 2->12         started        14 ExQTKw.exe 2->14         started        process3 file4 52 C:\Users\user\AppData\Roaming\tmp.exe, PE32 8->52 dropped 54 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 8->54 dropped 56 C:\Users\user\AppData\...\name.exe.lnk, MS 8->56 dropped 58 2 other malicious files 8->58 dropped 78 Writes to foreign memory regions 8->78 80 Allocates memory in foreign processes 8->80 82 Injects a PE file into a foreign processes 8->82 16 tmp.exe 2 4 8->16         started        21 cmd.exe 8->21         started        23 cmd.exe 8->23         started        25 4 other processes 8->25 84 Antivirus detection for dropped file 12->84 86 Multi AV Scanner detection for dropped file 12->86 88 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->88 90 2 other signatures 12->90 signatures5 process6 dnsIp7 60 mail.alsuwaidifts.com 162.241.219.20, 49749, 587 UNIFIEDLAYER-AS-1US United States 16->60 46 C:\Users\user\AppData\Roaming\...xQTKw.exe, PE32 16->46 dropped 70 Antivirus detection for dropped file 16->70 72 Multi AV Scanner detection for dropped file 16->72 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->74 76 7 other signatures 16->76 27 reg.exe 21->27         started        30 conhost.exe 21->30         started        48 C:\Users\user\AppData\Roaming\...\name.exe, PE32 23->48 dropped 32 conhost.exe 23->32         started        50 C:\Users\user\...\name.exe:Zone.Identifier, ASCII 25->50 dropped 34 iexplore.exe 1 54 25->34         started        36 conhost.exe 25->36         started        38 conhost.exe 25->38         started        40 2 other processes 25->40 file8 signatures9 process10 signatures11 92 Creates an undocumented autostart registry key 27->92 42 iexplore.exe 60 34->42         started        44 iexplore.exe 34->44         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5/
Threat name:
ByteCode-MSIL.Spyware.Solmyr
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 08:14:08 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ixcrh4iioev4tdubui7aksz5edpa47wrkla6ikahvzo65ltwa3cq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00d0e1852c2502d4660ce5e286b417531166690478309d95beb7a20e24fcfffa
AgentTesla
15814d40339c1e572590b74683dec0fdf2e55e7f565be6e806adfa2e59c4a915
AgentTesla
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
60db9d2df465b5bfcf2d1c0a71559c57c561d0746a0f3fd7f4e8b9203871cfb8
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
AgentTesla
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
AgentTesla
+ 299 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201005-bsv3y4p9ns/
Behaviour
Delays execution with timeout.exe
NTFS ADS
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla
Unpacked files
SH256 hash:
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
MD5 hash:
e1d94bf8e619597e04c5cd3d8a76821e
SHA1 hash:
c69bfb52c7722d8f690e76423d74663e89e7e6c8
Link:
https://www.unpac.me/results/2b9cdbcc-f384-4e33-b05c-01a588603dd7/
SH256 hash:
e0e06c41fa0d937cc68ae75358c313acf4fbb9c44614a8ddc56688f0d8d52f3d
MD5 hash:
f0657bc3da0f24702acfb88ed9e270f6
SHA1 hash:
9eb29620115153af34a2e11d3ac3b86c8ec12e6e
Link:
https://www.unpac.me/results/2b9cdbcc-f384-4e33-b05c-01a588603dd7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
RevengeRAT
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso eeb1ef5d095875ab12fce4e0b8c330551a873dcec4274538a67cfe61e7dec9b0

AgentTesla

Executable exe 45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5

(this sample)

  
Dropped by
MD5 da1f8bf314b70613fdd9e424d73a23b3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68203/
  
Dropped by
SHA256 eeb1ef5d095875ab12fce4e0b8c330551a873dcec4274538a67cfe61e7dec9b0

Comments