MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3
SHA3-384 hash: a6b2e33f78b63aa714df581dfbb9026faba1f871829f802a876f6157a957ce9d33ae1f82cc5033861f3265e7dc7e60e1
SHA1 hash: b278befe39ae70b286e12a260c113ecba13b2273
MD5 hash: b0b1776f8fa6e082974294a7ac19f10e
humanhash: delaware-oven-five-asparagus
File name:MV NAHIDE-M EDPA REQUEST FOR SHIPYARD CALL.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:749'568 bytes
First seen:2020-08-20 06:27:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:zuOXLrDw/092+0v3Rw+HncxU6SmQJbDvllvNpEJjiD7/V/NbG15:ZbrDw/NfK2cxUiQR5lE9iDzV/NbG1
Threatray 9'258 similar samples on MalwareBazaar
TLSH AFF41261365CABD2F6264FF09531C8915FF92F251E11E70A6DF23BEE2831B418822797
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: "Panlink Shipping Agency(Jiangyin) Co.,Ltd " <agency@panlinklogistics.com>
Reply-To: howardbrisson@gmail.com
Subject: MV NAHIDE-M // EDPA REQUEST FOR SHIPYARD CALL
Attachment: MV NAHIDE-M EDPA REQUEST FOR SHIPYARD CALL.rar (contains "MV NAHIDE-M EDPA REQUEST FOR SHIPYARD CALL.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/49013/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/440598
Signature
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 272903 Sample: MV NAHIDE-M  EDPA REQUEST F... Startdate: 21/08/2020 Architecture: WINDOWS Score: 100 39 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->39 41 Found malware configuration 2->41 43 Yara detected AgentTesla 2->43 45 5 other signatures 2->45 6 DsWhv.exe 3 2->6         started        9 MV NAHIDE-M  EDPA REQUEST FOR SHIPYARD CALL.exe 3 2->9         started        12 DsWhv.exe 2 2->12         started        process3 file4 47 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->47 49 Machine Learning detection for dropped file 6->49 51 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->51 53 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 6->53 14 DsWhv.exe 2 6->14         started        31 MV NAHIDE-M  EDPA ...IPYARD CALL.exe.log, ASCII 9->31 dropped 55 Injects a PE file into a foreign processes 9->55 18 MV NAHIDE-M  EDPA REQUEST FOR SHIPYARD CALL.exe 2 5 9->18         started        21 MV NAHIDE-M  EDPA REQUEST FOR SHIPYARD CALL.exe 9->21         started        23 MV NAHIDE-M  EDPA REQUEST FOR SHIPYARD CALL.exe 9->23         started        25 DsWhv.exe 2 12->25         started        signatures5 process6 dnsIp7 33 mail.federalpower.com.my 14->33 57 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->57 59 Tries to steal Mail credentials (via file access) 14->59 61 Tries to harvest and steal ftp login credentials 14->61 63 Tries to harvest and steal browser information (history, passwords, etc) 14->63 35 federalpower.com.my 124.217.255.89, 49730, 49732, 587 SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY Malaysia 18->35 37 mail.federalpower.com.my 18->37 27 C:\Users\user\AppData\Roaming\...\DsWhv.exe, PE32 18->27 dropped 29 C:\Users\user\...\DsWhv.exe:Zone.Identifier, ASCII 18->29 dropped 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->65 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-20 05:17:06 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jefotobzuzmoj4kdqp5h3nzvtxi55a7nk33ejqub5apjdck33trq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c0311a1cb921c213ce8b70d9f3b218c1297ece766bc209da2712cedab6960a1
AgentTesla
239a40118ca9473eb4be7f1bcf0fbb00c93b7213926402d93074b2252bc72092
AgentTesla
34389c63bfec9402befc3afc4d92259a43056b33d6e4b70054d50ba38d258981
AgentTesla
3858c456ab026309da4ac40a5dc2c8e3d360c9f27c592ffb74875443a1e775b5
AgentTesla
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
AgentTesla
687bbb360426bced3a9f69df3a4ae321c30c2e6e8cc40bde6b6b7519a6aaab34
AgentTesla
7867241670b0fd664072e1bf555bc56b8291a80e01adeebcffcc768a0e88c117
AgentTesla
a348251ca8856d6984701e79b0946e27410542a8d6769bc0d902239ff41efc9f
AgentTesla
e1117b5ae3e0424b17971fcd47d27d29f26f2bd40f5f899bdabcdcfa68a57e6d
AgentTesla
f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4
AgentTesla
+ 9'248 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200820-dnnzmnba1n/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 6f389d6b8af5ded5ed7997cf640b0267553c7fe28e17e0ae23586f15e3c5ea63

AgentTesla

Executable exe 490ae9b839a658e4f14383fa7db7359dd1de83ed56f644c281e81e91895bdce3

(this sample)

  
Dropped by
MD5 e432d4422a2698e26c1cd7036b9704c3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/49013/
  
Dropped by
SHA256 6f389d6b8af5ded5ed7997cf640b0267553c7fe28e17e0ae23586f15e3c5ea63

Comments