MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 552b5befe919abe88a18e7cd4e82de23c584309a7aa9924f3376f33a8e86a635. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 552b5befe919abe88a18e7cd4e82de23c584309a7aa9924f3376f33a8e86a635
SHA3-384 hash: ad3aff8a74ca5a22ee100c9b9fc34b2292107a0bae78a46cd36fd1af50b7a6df42f2ba2b13fbc751f4b3e979c6e856e6
SHA1 hash: 2a8aa65e06ec0db9969a147e6631c7d4b54e862d
MD5 hash: 2ea4f71e0708df54c6a7ce028a692d28
humanhash: lima-michigan-uncle-blossom
File name:Statement_of_Account_#8726.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:10'240 bytes
First seen:2020-08-03 14:13:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 192:291yl/igS6Lq/ihELS2hN5HyECVL3LKLxBFnSu1m9f9p:2Cl/xFLq/ieLfhN5HyECVL3LKLxBv12F
Threatray 10'703 similar samples on MalwareBazaar
TLSH F422FA11BB5C4236CE774F368CF372900AB6D3169952EA2E58C9610F9E123518B93FB1
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: center.com
Sending IP: 45.127.62.110
From: Finance <ward@cooperhirthe.xyz>
Subject: Overview of outstanding statement of account and credit notes attached
Attachment: Statement_of_Account.iso (contains "Statement_of_Account_#8726.exe")

AgentTesla SMTP exfil server:
smtp.bazaarkonections.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/37948/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Sending a UDP request
Launching the default Windows debugger (dwwin.exe)
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408104
Signature
Binary contains a suspicious time stamp
Creates autostart registry keys with suspicious names
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 256300 Sample: Statement_of_Account_#8726.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 61 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->61 63 Found malware configuration 2->63 65 Yara detected AgentTesla 2->65 67 2 other signatures 2->67 7 Statement_of_Account_#8726.exe 15 5 2->7         started        12 B5032592-1D1F-4B71-BECB-A88D5F79147C.exe 2 2->12         started        14 B5032592-1D1F-4B71-BECB-A88D5F79147C.exe 14 3 2->14         started        16 B5032592-1D1F-4B71-BECB-A88D5F79147C.exe 2->16         started        process3 dnsIp4 47 googlehosted.l.googleusercontent.com 216.58.214.193, 443, 49708, 49709 GOOGLEUS United States 7->47 49 doc-08-84-docs.googleusercontent.com 7->49 51 doc-04-84-docs.googleusercontent.com 7->51 37 B5032592-1D1F-4B71-BECB-A88D5F79147C.exe, PE32 7->37 dropped 39 C:\...\Statement_of_Account_#8726.exe.log, ASCII 7->39 dropped 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->81 18 Statement_of_Account_#8726.exe 3 7->18         started        23 reg.exe 1 1 7->23         started        25 reg.exe 1 1 7->25         started        27 Statement_of_Account_#8726.exe 7->27         started        53 192.168.2.1 unknown unknown 12->53 55 2 other IPs or domains 12->55 29 B5032592-1D1F-4B71-BECB-A88D5F79147C.exe 12->29         started        57 2 other IPs or domains 14->57 83 Machine Learning detection for dropped file 14->83 59 2 other IPs or domains 16->59 file5 signatures6 process7 dnsIp8 41 smtp.bazaarkonections.com 18->41 43 us2.smtp.mailhostbox.com 208.91.199.225, 49710, 49721, 587 PUBLIC-DOMAIN-REGISTRYUS United States 18->43 35 C:\Windows\System32\drivers\etc\hosts, ASCII 18->35 dropped 69 Modifies the hosts file 18->69 71 Creates autostart registry keys with suspicious names 23->71 31 conhost.exe 23->31         started        33 conhost.exe 25->33         started        45 smtp.bazaarkonections.com 29->45 73 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 29->73 75 Tries to steal Mail credentials (via file access) 29->75 77 Tries to harvest and steal ftp login credentials 29->77 79 Tries to harvest and steal browser information (history, passwords, etc) 29->79 file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/552b5befe919abe88a18e7cd4e82de23c584309a7aa9924f3376f33a8e86a635/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 13:26:48 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=kuvvx37jdgv6rcqy47gu5aw6epcyime2pkuzetzto3ztvduguy2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f3fe234c700b316a460c05098c843efbb0965b672d0e7a6f58028669c37ccb9
AgentTesla
1e9928a54010e7bac001f02719f17a6516ddfc9277a10b8c0863331b0df01007
AgentTesla
2a3b5f4a6e6d41c86a9d25ff46831b1bcf73db123bf659d59c8125c147afc895
AgentTesla
399a8e11367c80009a8cd861c379e0f4d6feff8544fecf51705a474edb3b624e
AgentTesla
3be0077c6f64fbd2d0e432bc48a369f17242ba95e26c36bde1ef5c7cc4940b05
AgentTesla
40bd3914235bbb167ad733ba737282f760f57b94a6c98eaed0c9b2aaa66c4627
AgentTesla
69ae33d3de4e9ab0200a9c58cde93a8413d35b92116ce40595af0840eaa56952
AgentTesla
b01594842e3d5d79f262899e0eb357ea538a3f96145b77f102b4ea0ae531c3c6
AgentTesla
b7d481a9846e10a27165c873afc35307088f02b5c1c4e253e35e0dd5f6a7034f
AgentTesla
c5ed24617a8781237722d5368eadc312568dc08fd92c666a4441e6d4a714dea3
AgentTesla
+ 10'693 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200803-266xg1pdae/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/552b5befe919abe88a18e7cd4e82de23c584309a7aa9924f3376f33a8e86a635

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 5a277191ed6ca2ad108cc8aec8b0eaa3a5e0d893970f182bd2bfc74d41466c43

AgentTesla

Executable exe 552b5befe919abe88a18e7cd4e82de23c584309a7aa9924f3376f33a8e86a635

(this sample)

  
Dropped by
MD5 98b24c13a18ad8aa2105c5cd658f58a5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37948/
  
Dropped by
SHA256 5a277191ed6ca2ad108cc8aec8b0eaa3a5e0d893970f182bd2bfc74d41466c43

Comments