MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 48ec76cfb4b4ea2605a727eeb7314f5b724969764ce02b7e6937211948c5ccfe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 48ec76cfb4b4ea2605a727eeb7314f5b724969764ce02b7e6937211948c5ccfe
SHA3-384 hash: 2165856542e225a26e68dd05e2b080aae98ee528249a43563507e20210c63369a4bd6bb7d1780f3e6a719177e1632579
SHA1 hash: 552fbdee3bd4ccf2594282f84b7df181927aac66
MD5 hash: f599c6da96c3ff4f50c24c3577955bea
humanhash: speaker-wolfram-texas-tango
File name:Payment Advice Note from 19.11.2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:778'240 bytes
First seen:2020-11-20 07:49:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:+A9904L16DRCXlYQVvBEVDcVM/WuzdEzzEoTSkisn6NpwxEcapdAMXW/Z6IVO:390s16VC1YQV5EVDKIuzQoSPsupWZF
Threatray 1'428 similar samples on MalwareBazaar
TLSH 41F42330F2490722E3AD053F0978D699C3741F32D9328977BD9CB269267E72CE96464E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gmail.com
Sending IP: 45.137.22.56
From: noreply@upm.com
Subject: Payment Advice Note from 19.11.2020
Attachment: Payment Advice Note from 19.11.cab (contains "Payment Advice Note from 19.11.2020.exe")

AgentTesla SMTP exfil server:
mail.impresstilecleaners.com.au

Intelligence

File Origin
# of uploads :
1
# of downloads :
129
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/543954
Signature
Antivirus / Scanner detection for submitted sample
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: RegAsm connects to smtp port
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 321074 Sample: Payment Advice Note from 19... Startdate: 20/11/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 6 other signatures 2->53 6 Payment Advice Note from 19.11.2020.exe 1 2->6         started        10 NewApp.exe 2 2->10         started        12 NewApp.exe 1 2->12         started        process3 file4 25 Payment Advice Not... 19.11.2020.exe.log, ASCII 6->25 dropped 55 Writes to foreign memory regions 6->55 57 Maps a DLL or memory area into another process 6->57 14 RegAsm.exe 17 8 6->14         started        19 RegAsm.exe 6->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 29 mail.impresstilecleaners.com.au 101.0.117.115, 49744, 49746, 587 DIGITALPACIFIC-AUDigitalPacificPtyLtdAustraliaAU Australia 14->29 31 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.126.66, 443, 49743 AMAZON-AESUS United States 14->31 33 2 other IPs or domains 14->33 27 C:\Users\user\AppData\Roaming\...27ewApp.exe, PE32 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 45 3 other signatures 14->45 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->43 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/48ec76cfb4b4ea2605a727eeb7314f5b724969764ce02b7e6937211948c5ccfe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-19 22:57:58 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jdwhnt5uwtvcmbnhe7xlomkplnzes2lwjtqcw7tjg4qrssgfzt7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1d6004838e32ca7b5763964c99d3c92fc591c7b21d0de3595a7da27794ec5ab6
AgentTesla
3acb8c900b76d7232dcb0dd75e92f7647468a845bba8fb42dce2bc1ec2bb1d2f
AgentTesla
3f643208ad4025825d073c43dc40f4453df1cae39be3cc31b647236d76657fa1
AgentTesla
4231c38aadd1c59f0270408e841f773c1e17bf1e45f02d20f440d1c82413ec5a
AgentTesla
4574055c204f272af805107051d06291970dfa5e1f05fafd268f17b499b3ebf8
AgentTesla
486d7c96b47e6a1278f06601b3cfb146a2a453cf2b4658036f4a392298195bf9
AgentTesla
4e0f1a66466311d8610b4610fc7ce3c8ea4bb8b71528035cbe3ff2204c3dacd3
AgentTesla
590d1a6a1fa00812284d4f5e4f47cb34d4965c79bfc9ec1741f2a8e14967719b
AgentTesla
7b3834838c8089d4af4508d5961ea134c7ae331dfe350381f38fb6ffda679726
AgentTesla
feb639dabb33ddc8d08dc3065a7a869225419d52be2aa0ec247377607a426ef3
AgentTesla
+ 1'418 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201120-52qk6rb9bx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1f8e1b4e8943bcccc664a5bab4b981f4b12297513e935351af81d2ecc3b750ee
MD5 hash:
f354010fbaa70bbbfc07a408e0004a40
SHA1 hash:
ae2b4e72e3e5fb4f2a810002dcb4326c3257e095
Link:
https://www.unpac.me/results/eeebca16-e331-4034-bb3d-bc761a16dc7e/
SH256 hash:
a1cd57a2d89ee0def8189a4c56411381daf098ed30b5f4df73125185894850f7
MD5 hash:
8dc525d0a42fcbe0fa6f248156876b55
SHA1 hash:
f49051dfdf3812a3839b95677d9022ccd11c64d3
Link:
https://www.unpac.me/results/eeebca16-e331-4034-bb3d-bc761a16dc7e/
SH256 hash:
48ec76cfb4b4ea2605a727eeb7314f5b724969764ce02b7e6937211948c5ccfe
MD5 hash:
f599c6da96c3ff4f50c24c3577955bea
SHA1 hash:
552fbdee3bd4ccf2594282f84b7df181927aac66
Link:
https://www.unpac.me/results/eeebca16-e331-4034-bb3d-bc761a16dc7e/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

cab d51479cf5243058d209c77c0ddf005bcf86e946b50d9b9cd34405b475d75d47d

AgentTesla

Executable exe 48ec76cfb4b4ea2605a727eeb7314f5b724969764ce02b7e6937211948c5ccfe

(this sample)

  
Dropped by
MD5 c866163c6840422d69fc68417646bf51
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d51479cf5243058d209c77c0ddf005bcf86e946b50d9b9cd34405b475d75d47d

Comments