MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292
SHA3-384 hash: ed0d2fd40f9ab2bcbd39bd8945750d2eb50afa3758ba18f61176e2f21e3e2a08dbeb300f1786544b3f1a5d85b56cb890
SHA1 hash: 02aa33bac60495b1ac3ab5f09df2f7e94fba47c9
MD5 hash: c3009de9ea1ef5ce44ce4698406e41bd
humanhash: pasta-crazy-pizza-network
File name:Urgent_quotation.20.10.4555.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:929'792 bytes
First seen:2020-10-19 22:21:00 UTC
Last seen:2020-10-19 22:50:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:M+MtMX83hjP00/IoZxgUnaqtXuvHBF57U7UkLhlnvSvmkMpuQnqqYBOvMJkWCUcL:MlKsRPVZpa9HxoUgSukghqq1vMUaYx3
Threatray 9'941 similar samples on MalwareBazaar
TLSH 2D15AE2527956F68F03D4733A4A8240193F9EC13D335C42E7DE5368E1EB1F96A623B86
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.9457.26287.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/496225
Signature
Contains functionality to register a low level keyboard hook
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300483 Sample: Urgent_quotation.20.10.4555.exe Startdate: 20/10/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 8 other signatures 2->37 7 Urgent_quotation.20.10.4555.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\AgmorSQXDw.exe, PE32 7->19 dropped 21 C:\Users\...\AgmorSQXDw.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp1503.tmp, XML 7->23 dropped 25 C:\...\Urgent_quotation.20.10.4555.exe.log, ASCII 7->25 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Contains functionality to register a low level keyboard hook 7->43 45 Injects a PE file into a foreign processes 7->45 11 Urgent_quotation.20.10.4555.exe 6 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 smtp.yandex.ru 77.88.21.158, 49751, 49752, 587 YANDEXRU Russian Federation 11->27 29 smtp.yandex.com 11->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Tries to steal Mail credentials (via file access) 11->49 51 Tries to harvest and steal ftp login credentials 11->51 53 2 other signatures 11->53 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 02:29:54 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jgnwlclcarn25wc2ryk4nwsgn36sxusfuzy556hogfpfuoekmkja._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
7b939c76950b25a4e132860f637b3de9f561022e96481bb5f881b21e57e5898b
AgentTesla
8192d560e89e235f4734cf4ad8fa3a9a91abd7eb83b589c4d471efc5d6361f1d
AgentTesla
a2158f5ab307d2418f9653ea6bfd8914fe390a99137ee96191266c01ba93977a
AgentTesla
a88d09e31b3d69e78b88c96f053a9afbe29daa59fc50e5ba269f4a24b3a04d88
AgentTesla
aa95f30da548dae9304cea73e276f87fdab530186aec142eb83022f1f31f5cb6
AgentTesla
b85e964144a64d78fc54b4e6bae83ba6e1c7179f0a820f361c27f58842b6940a
AgentTesla
c032e316eefbacca4b3ddfe7fc2ee9ac5f86daea767232d2322f7fdfe4b18993
AgentTesla
c68e4b825434bac34abd9d5428ea2c30fc60c8b47db17de743782825687547d5
AgentTesla
e232dc56a916d659961271caf129b47c5fa561f71ecff17f6c96801cd7b50820
AgentTesla
e4a3e20e267b49025b0c602b0af5b19c57711fc07f5442c356d5c57e1ee7cd31
AgentTesla
+ 9'931 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201019-3cr1zdbhce/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292
MD5 hash:
c3009de9ea1ef5ce44ce4698406e41bd
SHA1 hash:
02aa33bac60495b1ac3ab5f09df2f7e94fba47c9
Link:
https://www.unpac.me/results/c3196c50-cca9-41a1-88c7-60bbae8b846c/
SH256 hash:
cb30d5a9138135a0442a47a546202e644da5c1662ff06b0bfeff3cc9b4b3b067
MD5 hash:
e60b0da2bb2c49aac07ed3460d452682
SHA1 hash:
092b4558384abcbdf59b8affe7fc91d2a359afef
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/c3196c50-cca9-41a1-88c7-60bbae8b846c/
Parent samples :
499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292
0ad4c6a9bee4bac6960ad780c1c23b3040fa4ebf3136136187c0352a5d44d982
95be71d73799012c2d1d672f4624f0d4b02a0ab64b428b7cd8d7f0eb6a2d29ba
SH256 hash:
50ec8d3c3fe2737f3ca592ce110293ca31e08393c0d14304e53fe32c72c9d876
MD5 hash:
484c989f606e85c5f6fbe84e19234e4e
SHA1 hash:
18e720c720426381319437db8373bbe6c396b5bf
Link:
https://www.unpac.me/results/c3196c50-cca9-41a1-88c7-60bbae8b846c/
SH256 hash:
36bef6d18893f0dbb31853859ba826f5e2e7475a2141ed2b7d37dedde98c1813
MD5 hash:
06af7bbeece7575a74b6e0177d787521
SHA1 hash:
cf8b257fd8f15e98ead8bab93f635bdb3d9d1473
Link:
https://www.unpac.me/results/c3196c50-cca9-41a1-88c7-60bbae8b846c/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/c3196c50-cca9-41a1-88c7-60bbae8b846c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 499b658962045baed85a8e15c6da466efd2bd245a671def8ee315e5a388a6292

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/73124/

Comments