MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0
SHA3-384 hash: bffedec1f6ad3193956c5c2a259b79687936a74972dcc5226563bcc454f220b655a809ef160e921473568645012730f6
SHA1 hash: e65a1533801e106e57a804497edf41bafef8e765
MD5 hash: 65fcfe6d8e9bf1281cf759219f1d5585
humanhash: summer-speaker-spring-hawaii
File name:ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:575'640 bytes
First seen:2020-10-08 13:32:57 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:1/Ixjo27ZKVBgBNumD//i3lfztTBGJsDuU7W:1QC9I8W/2JrGJsDu1
Threatray 399 similar samples on MalwareBazaar
TLSH A7C4E10596E4281ADA3AD3368897CE3197F07E072A33C6462CD4FF93B9B57991709273
Reporter James_inthe_box
Tags:AgentTesla exe

Code Signing Certificate

Organisation:
Issuer:
Algorithm:sha256WithRSAEncryption
Valid from:Oct 8 08:56:12 2020 GMT
Valid to:Oct 8 08:56:12 2021 GMT
Serial number: 2EA2CED2AF1458DE5FAC7D8A6B6133F5
Thumbprint Algorithm:SHA256
Thumbprint: FD69C8B4C55FD84DC0272687F6C6CD3D6A3408F0347113A8E5940C59FBEF1DA2
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69275/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
Sending a UDP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Setting a keyboard event handler
DNS request
Sending a custom TCP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/485552
Signature
Binary contains a suspicious time stamp
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295334 Sample: ORDER#200095 W3-73547 W3 Wi... Startdate: 08/10/2020 Architecture: WINDOWS Score: 100 67 Multi AV Scanner detection for dropped file 2->67 69 Multi AV Scanner detection for submitted file 2->69 71 Yara detected AgentTesla 2->71 73 9 other signatures 2->73 7 ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe 3 4 2->7         started        11 ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe 2->11         started        13 ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe 2 2->13         started        15 3 other processes 2->15 process3 file4 49 ORDER#200095 W3-73...en BV Verhoeven.exe, PE32 7->49 dropped 51 ORDER#200095 W3-73...exe:Zone.Identifier, ASCII 7->51 dropped 81 Creates an undocumented autostart registry key 7->81 83 Creates autostart registry keys with suspicious names 7->83 85 Creates multiple autostart registry keys 7->85 17 ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe 15 2 7->17         started        21 WerFault.exe 23 11 7->21         started        23 timeout.exe 1 7->23         started        87 Hides threads from debuggers 11->87 89 Injects a PE file into a foreign processes 11->89 25 ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe 11->25         started        27 timeout.exe 11->27         started        29 ORDER#200095 W3-73547 W3 Wijnen BV Verhoeven.exe 13->29         started        31 timeout.exe 1 13->31         started        33 WerFault.exe 13->33         started        35 3 other processes 15->35 signatures5 process6 dnsIp7 53 elb097307-934924932.us-east-1.elb.amazonaws.com 54.235.169.38, 443, 49769 AMAZON-AESUS United States 17->53 55 nagano-19599.herokussl.com 17->55 57 api.ipify.org 17->57 59 192.168.2.1 unknown unknown 21->59 37 conhost.exe 23->37         started        61 54.227.255.202, 443, 49786 AMAZON-AESUS United States 25->61 63 nagano-19599.herokussl.com 25->63 65 api.ipify.org 25->65 75 Tries to steal Mail credentials (via file access) 25->75 77 Tries to harvest and steal browser information (history, passwords, etc) 25->77 79 Installs a global keyboard hook 25->79 39 conhost.exe 27->39         started        41 conhost.exe 31->41         started        43 conhost.exe 35->43         started        45 conhost.exe 35->45         started        47 conhost.exe 35->47         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-10-08 13:32:37 UTC
File Type:
PE (.Net Exe)
Extracted files:
13
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jp2qsg6am74ckussvutpwa5xcuybim5psm2n2ealtnsyngbzphya._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
20c6424e353a9e436708bba102710844e52c8ada62ad91e6de65438ee233faff
AgentTesla
286b00dda63a28a1d22aae31f1622b04700207b92ab0f033e8885fb55eaa3e86
AgentTesla
59bbe3f3c9d04d180126b1396dcda25f533a491a92255ffdfca4acb6a6ca7bfa
AgentTesla
66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405
AgentTesla
7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
cbc01ffceb54ac490802cbb30bf5e913e9755d7fb4637dbcd1d34a7b3f399f2f
AgentTesla
d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d
AgentTesla
df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7
AgentTesla
f23c845c6c2450e632e8894be99fe3eb8a6a42eedc749c593431665c18e37d03
AgentTesla
+ 389 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
spyware persistence
Link:
https://tria.ge/reports/201008-r6e1j3675x/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0
MD5 hash:
65fcfe6d8e9bf1281cf759219f1d5585
SHA1 hash:
e65a1533801e106e57a804497edf41bafef8e765
Link:
https://www.unpac.me/results/ecc2eefc-fae2-49ac-923b-55538ab609dc/
SH256 hash:
27d27193fea3813f02496c5d4ef8ef59281b10c611b57da0a279ff0352c47d3f
MD5 hash:
8ddd4481cd4c9d863572ea39533bfbbc
SHA1 hash:
99ab75b9c96cb59c64c4b24b1f4f43a59a2be5f5
Link:
https://www.unpac.me/results/ecc2eefc-fae2-49ac-923b-55538ab609dc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4bf5091bc067f8255252ad26fb03b715301433af9334dd100b9b6586983979f0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/69275/

Comments