MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
SHA3-384 hash: 633cba4365a7c4fff25b6eebacb0b6caa2b5dd065e30ace05e78284ce547cd1b00dcc3a75294c3a186c7c72cf447c539
SHA1 hash: 39616af314732299915934cfb77bac085949db42
MD5 hash: 87f663802073da4e7f782d1772014e06
humanhash: east-hawaii-single-fifteen
File name:87f663802073da4e7f782d1772014e06.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'388'032 bytes
First seen:2020-09-25 13:27:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 24576:fWiZucOaCrYz4jEmW/g+ikK7InVGyT/SspYRr:ecyrKmW/PkReSX
Threatray 168 similar samples on MalwareBazaar
TLSH BB55AD2032A57B0CD0B84FB00559BCB5C26A19156A12DA5CAFE322FF6EF57C0BE15B47
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.big3.icu:587

AgentTesla SMTP exfil email address:
99@big3.icu

Intelligence

File Origin
# of uploads :
1
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/65837/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42595.17741.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.Trojan.PWS.Siggen2.55925.6440.12403.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475167
Signature
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290038 Sample: m3u9ZHQFWF.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 Multi AV Scanner detection for submitted file 2->35 37 8 other signatures 2->37 7 m3u9ZHQFWF.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\Roaming\JnTWeIzOW.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmp7BAA.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\m3u9ZHQFWF.exe.log, ASCII 7->23 dropped 39 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 Injects a PE file into a foreign processes 7->45 11 m3u9ZHQFWF.exe 15 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 elb097307-934924932.us-east-1.elb.amazonaws.com 23.21.109.69, 443, 49760 AMAZON-AESUS United States 11->25 27 nagano-19599.herokussl.com 11->27 29 api.ipify.org 11->29 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 51 Installs a global keyboard hook 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 12:26:39 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kknapce7atmt2vedaaq2ijbsd7lwhna75c4jihpd5ioht2xccuza._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18a2826ae0c8ce3e76a5cb806e89d0070f70cc372cf37468721b8caf8529f401
AgentTesla
51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8
AgentTesla
778999d611a2a22f82d48b71e94588b86336376e30b07cb1c3f2230959cc10ab
AgentTesla
aaeb8dbb55dfc7eae9879ef959b1321b70c90784ed1c434cd4fd4583e92cf163
AgentTesla
b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
AgentTesla
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0
AgentTesla
dc17f58054bc14cd28845998cad76324467d4a028a063dbd3846b2de0df5c89c
AgentTesla
dd48b3a67ab61431928bff75ec0dd6a64bae646306b68109ef6e02afbf2e4d46
AgentTesla
+ 158 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
evasion spyware
Link:
https://tria.ge/reports/200925-vfzxy25j52/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Looks up external IP address via web service
Checks BIOS information in registry
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Unpacked files
SH256 hash:
529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
MD5 hash:
87f663802073da4e7f782d1772014e06
SHA1 hash:
39616af314732299915934cfb77bac085949db42
Link:
https://www.unpac.me/results/826dfc1a-2658-4274-95e4-30bdd460fb86/
SH256 hash:
535286c1e1f482e8d6dd2de945421fdfbec270e3ee754e29438f2f6a0d7611b3
MD5 hash:
ebfced091099c6fd71a259880445f757
SHA1 hash:
3c3351215d1121c8de0d26ff292a079baf4db91e
Link:
https://www.unpac.me/results/826dfc1a-2658-4274-95e4-30bdd460fb86/
SH256 hash:
729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f
MD5 hash:
ac3f427e66b28b013b0b651c2f71d1e9
SHA1 hash:
ddf8b4b1d36aced75740632b41d30add06b5db3d
Link:
https://www.unpac.me/results/826dfc1a-2658-4274-95e4-30bdd460fb86/
SH256 hash:
d8665b49e9379d921739937d5e6ef7e61e6d8aea6d0a954ac12750c93816aa1a
MD5 hash:
d3d054d6be510a999b579ace8532ef79
SHA1 hash:
de0ee226606653a6d82070895a0cd180561b4be5
Link:
https://www.unpac.me/results/826dfc1a-2658-4274-95e4-30bdd460fb86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/65837/
  
URLhaus
https://urlhaus.abuse.ch/url/611859/
  
Delivery method
Distributed via web download

Comments