MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 464e7363198201699fa0503be713d1776fb07eefc63830cd08494f26ec93ba8b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 464e7363198201699fa0503be713d1776fb07eefc63830cd08494f26ec93ba8b
SHA3-384 hash: 3ef623af949cc41ff224d09cdc20df3cdd058ccfd167b5b295026c98a4676eda1052782243552018ef121774aa0f2e78
SHA1 hash: b40eb3a92f67f8a2206cf74d4caaa7a7f8b9d64b
MD5 hash: f554bb70eb38b2cdf9612469ba094651
humanhash: venus-apart-fourteen-iowa
File name:Payment Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:522'240 bytes
First seen:2020-08-19 11:29:20 UTC
Last seen:2020-08-19 12:45:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9faaf32646a3afd481c4ac664821756 (4 x AgentTesla, 1 x AZORult, 1 x FormBook)
ssdeep 12288:6R+b5GrR4zAO+W3MelR82ECELN+ZY0MPXOagE:6Ub5GG8BWdjmCPZYF
Threatray 10'176 similar samples on MalwareBazaar
TLSH 57B4D0617398F5D1E45282B17206DA2051333CB6BA67884A3BC077CB7DF27E9AB4C752
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server.domain.com
Sending IP: 89.45.4.248
From: accountdept <accountoffice1@worldtransfer.com>
Subject: Re: TT Payment
Attachment: Payment Copy.gz (contains "Payment Copy.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/48460/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Sending a UDP request
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/437718
Signature
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/464e7363198201699fa0503be713d1776fb07eefc63830cd08494f26ec93ba8b/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-08-19 11:31:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=izhhgyyzqiawth5aka56oe6ro5x3a7xpyy4dbtiijfhsn3etxkfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2797fabdb7ec8843947933f792ef8db22cc3bab5e06f8204ab4697acd0a04d55
AgentTesla
2b5d96d018098da5990f2d6d721ab925efd4422c13cccf031775b6fddd5f801e
AgentTesla
50d83791145d6b09c47fc90279d568bff571181c97d9dad9ab63c3e9c9b935af
AgentTesla
574f46006cfd1caa512756f6a27e6ce2140124d77f1a979c2c12d0d63652cd5c
AgentTesla
66178c5a45af58b7b0710d3867d501cbef090c10817fd1ebf5555477c2c32098
AgentTesla
6fefda6e593a6be7de5636905b89eef16e82b904e95bf88245ee067b84cebbed
AgentTesla
8433ac6d87185d65251a833f4f37ac4095395d2751da1ff95e8d9d4e53656480
AgentTesla
cac726f6b0bcb60af61033a9a59ae886ee7466f65e20185cd44be43c80386e7d
AgentTesla
d3dc0fad4580b2c3d0f5bfe27fd99d66b20f2a2c65c219218f9e6628a9df5d2b
AgentTesla
d4ce64cdc542c8733eb5b0445875887874d467ee1f13ef1a2bd6e7d568d3f97d
AgentTesla
+ 10'166 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200819-55vx4mxagx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/464e7363198201699fa0503be713d1776fb07eefc63830cd08494f26ec93ba8b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d245b8f7b96be20c39a84e11d19a770b6dc3155ccbe668843bd4682f262bc174

AgentTesla

Executable exe 464e7363198201699fa0503be713d1776fb07eefc63830cd08494f26ec93ba8b

(this sample)

  
Dropped by
MD5 8b1f0a00024f52d85c298a0f323836cc
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d245b8f7b96be20c39a84e11d19a770b6dc3155ccbe668843bd4682f262bc174
Cape
Cape
https://www.capesandbox.com/analysis/48460/

Comments