MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 9 File information Comments

SHA256 hash:	4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f
SHA3-384 hash:	9855cc3eba04ba72e0a741de152e445f8ec533d55db4a37b70846e2856cb665862a2c2f218a1d69b50acb831d537585c
SHA1 hash:	32a51b706742af5212bc462096150bf4813a9038
MD5 hash:	c4f1c5732b3308eac05ce325fa53bac8
humanhash:	tango-enemy-arizona-thirteen
File name:	Dlivery Order.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	924'160 bytes
First seen:	2021-03-29 11:29:02 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:mI4oJK8cu/26CkiLF50nUMQB6EDC+tOzrM:mI4oncf6CWnUnB6dVM
Threatray	9'727 similar samples on MalwareBazaar
TLSH	D715127232A57FE2F9798FF5653124444FF97427A671E28CAD8220D626B7B019F90C23
Reporter	malwarelabnet
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

112

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Dlivery Order.exe

Verdict:

Malicious activity

Analysis date:

2021-03-29 11:37:22 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/e436281e-485b-41c8-827a-a95ae1e2f290

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/127568/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET-16.UNOFFICIAL

Win.Packed.Burkina-9808944-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Sending a UDP request

Using the Windows Management Instrumentation requests

Creating a file

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/1a1dde6d-1fe6-49e2-bd6d-5d1946a10495

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/656826

Signature

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f/

Threat name:

ByteCode-MSIL.Trojan.NanoBot

Status:

Malicious

First seen:

2020-12-03 19:33:26 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=jnevldr6sa2zxhmrul2c5f6mcaci2t63ww7usvx6ulmrut4xc2hq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

485c37467147a13d48ca5857e05fefde3648db9bb7fe979ff58b8e138c135603

AgentTesla

5192ad844549de866d34a6a739e6171acd2eabaab69230db37c931efd85b390b

AgentTesla

5e74989efa96ead9311c5927e6f6a2be657a418de923461ec520d09aeaee970a

AgentTesla

61b69f7d85ced51c8f0aedc90a74cf60ceb166ee2b4eec7b0f559a8eda47ce48

AgentTesla

6932cd91548a70814291bd9793e7e048526cc4f183e5aa3c9ca8ba9b243a8474

AgentTesla

76c7edf5852cfb7559a3886e0df7dee4422a624403630a60b7584bbd050c89b6

AgentTesla

89f7219c6aed63932df5feb7a41fb92f3ef7ef2885b9508a612d59644792ccb1

AgentTesla

df702434f7363b55d44177136c0700447932a6568f48c4638a772a1694055345

AgentTesla

e385b8f5946a41469f49fad4aaeb98e510e79afd0ba6c8546c7b6548da61b8e6

AgentTesla

+ 9'717 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla evasion keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210329-x41wdy3rfs/

Behaviour

Creates scheduled task(s)

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

AgentTesla Payload

Looks for VirtualBox Guest Additions in registry

AgentTesla

Unpacked files

SH256 hash:

9be1ad616a483be6f65e69a88fd1d6cab6e8217236ac189d8b903f5f8c686832

MD5 hash:

55314db41bfc3877e5ad1250047a77f3

SHA1 hash:

6e21eb482f0a6b719359b3fb56b52abca46a673e

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/140db811-3c2e-4310-bc89-07dc8ab9cd0d/

Parent samples :

fe9cf9f4d0469600816043ec62c509aee82e223af4ae582c9b537e649d4249cb
0096dc44d88cb2dc617a69d3b9fef566a848c661f00bee5a85afcb205a33aba9
ae6c488302c04f00a60835db6b955fb8e1eb42f0e73e71873f5b7dc630596755
69cbd1cde514fa34db916c79d034366b291e3ea63917b52ec76bef88060bfce0
bd648199b17ff21db3d45cfd10eb3b70fdcbdf42c405061025de6cd1a59c212e
733791b9f0a883fccd3d16935d700144bdfb9e5b8ca2ee4a095fa30ce9c301e5
4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f

SH256 hash:

6ca819ec482d66e08403b8eeb512db60945d43ca9582785491630aaff0fb8848

MD5 hash:

d6c3b3fbf377ee8fce5d508c84d9a913

SHA1 hash:

4650ab8b88d9172554205d0bbe5fd5ead9edf73f

Link:

https://www.unpac.me/results/140db811-3c2e-4310-bc89-07dc8ab9cd0d/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/140db811-3c2e-4310-bc89-07dc8ab9cd0d/

SH256 hash:

4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f

MD5 hash:

c4f1c5732b3308eac05ce325fa53bac8

SHA1 hash:

32a51b706742af5212bc462096150bf4813a9038

Link:

https://www.unpac.me/results/140db811-3c2e-4310-bc89-07dc8ab9cd0d/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/4b49558e3e90359b9d91a2f42e97cc10048d4fdbb5bf4956fea2d91a4f97168f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	agent_tesla_2019 Create hunting rule
Author:	jeFF0Falltrades

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	MALWARE_Win_AgentTeslaV2 Create hunting rule
Author:	ditekSHen
Description:	AgenetTesla Type 2 Keylogger payload

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/127568/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample