MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304
SHA3-384 hash: 1d0b7b7fa20edfd4c14d04c3f4816aa526b7336f91979690c18c61ee438d956d8326b03ef792b8cc7d25bec0721c077e
SHA1 hash: 8f5c5bd303d99e17e1d8b2605ae648e18aabce79
MD5 hash: bdd8d31a570a6c7b74129601ddab9bed
humanhash: speaker-utah-alabama-nineteen
File name:IMG-756785345678765434567654567765765-456234.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:118'720 bytes
First seen:2020-10-10 06:59:54 UTC
Last seen:2020-10-10 08:05:00 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 1536:XVZhNXGvImQL5u8IFz9/gSDm4kH2ZjsP/UfU:XLeImQL5up/gSa4k0c
Threatray 430 similar samples on MalwareBazaar
TLSH 55C3A35EB400F227EAEB4BB89893C80827AFF7711451415E6DD08F8DEE416A53D9E8CD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: javainc.accesscam.org
Sending IP: 45.147.228.93
From: accounts payable <accountpayable@w0fco-ltd.com>
Subject: Re: Payment Advice Confirmation
Attachment: IMG-756785345678765434567654567765765-456234.LHA (contains "IMG-756785345678765434567654567765765-456234.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
150
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69707/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Adding an access-denied ACE
Unauthorized injection to a recently created process
Creating a file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Adding exclusions to Windows Defender
Enabling autorun
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/487426
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 296155 Sample: IMG-75678534567876543456765... Startdate: 10/10/2020 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for submitted file 2->64 66 Yara detected AgentTesla 2->66 68 Machine Learning detection for sample 2->68 70 5 other signatures 2->70 7 IMG-756785345678765434567654567765765-456234.exe 24 6 2->7         started        12 IMG-756785345678765434567654567765765-456234.exe 2->12         started        14 IMG-756785345678765434567654567765765-456234.exe 2->14         started        16 3 other processes 2->16 process3 dnsIp4 54 pastebin.com 104.23.99.190, 443, 49732, 49747 CLOUDFLARENETUS United States 7->54 50 IMG-75678534567876...67765765-456234.exe, PE32 7->50 dropped 52 IMG-75678534567876...exe:Zone.Identifier, ASCII 7->52 dropped 72 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->72 74 Creates an undocumented autostart registry key 7->74 76 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->76 84 5 other signatures 7->84 18 timeout.exe 1 7->18         started        20 powershell.exe 25 7->20         started        22 powershell.exe 24 7->22         started        30 5 other processes 7->30 56 104.23.98.190, 443, 49746 CLOUDFLARENETUS United States 12->56 78 Writes to foreign memory regions 12->78 80 Hides threads from debuggers 12->80 82 Injects a PE file into a foreign processes 12->82 24 timeout.exe 12->24         started        26 timeout.exe 14->26         started        28 timeout.exe 16->28         started        file5 signatures6 process7 dnsIp8 33 conhost.exe 18->33         started        36 conhost.exe 20->36         started        38 conhost.exe 22->38         started        40 conhost.exe 24->40         started        42 conhost.exe 26->42         started        44 conhost.exe 28->44         started        58 192.168.2.1 unknown unknown 30->58 46 conhost.exe 30->46         started        48 conhost.exe 30->48         started        process9 signatures10 60 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 33->60 62 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 33->62
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304/
Threat name:
ByteCode-MSIL.Trojan.Ymacco
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 13:56:51 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=j3nstxrr5ikx2ceowi2nhgcy7iuq62a7kcphtz4tt325avmwomca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
5a6ff674194fd8f0b7221de0d402f383eec634054768bd2df0e7adc2fa825953
AgentTesla
8d706befed861457d7fcf22d6c23b5b66c0ad7fec59552410f07b34723924fed
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
aa90926f50f27f99ae4c0001883be71b64dd0bb2f818cb39481f147f52a4658e
AgentTesla
b7cd8c82d2a6ccebd7b8b9490812b34b9418d325c3a962f293b8f956e5f9a464
AgentTesla
bd5a89235b1e44222a7cda1b6349967af2152683661cef1d8c8ef515d1706828
AgentTesla
d533947ea02478e71f86ece97892e0f87c0bd966395047a6e770158642134f18
AgentTesla
e0d9158031423f43664f7f990234f952a95a42de4804eda933afb59053643cd3
AgentTesla
e9c9002962c8e177831ce5a44e62fd0af97df8518025fc698f77939a10f6de8c
AgentTesla
+ 420 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
evasion trojan spyware keylogger stealer family:agenttesla persistence
Link:
https://tria.ge/reports/201010-f2n2effsaj/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304
MD5 hash:
bdd8d31a570a6c7b74129601ddab9bed
SHA1 hash:
8f5c5bd303d99e17e1d8b2605ae648e18aabce79
Link:
https://www.unpac.me/results/137f52a9-4f1e-41f9-b467-9f696a1a638c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Dropper
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1a731466ea466c9013c712c7e72525632e01ff6f6a4f5d3f4cbc9b2b634af507

AgentTesla

Executable exe 4edb29de31ea157d088eb234d39858fa290f681f509e79e7939ef5d055967304

(this sample)

  
Dropped by
MD5 baf015938c6b20ce9147d5320f464e36
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 1a731466ea466c9013c712c7e72525632e01ff6f6a4f5d3f4cbc9b2b634af507
Cape
Cape
https://www.capesandbox.com/analysis/69707/

Comments