MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 55827a9e773dfce60d622e28adf9ece39b9116a4efe7e5283485c6dee1069689. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara 3 Comments

SHA256 hash: 55827a9e773dfce60d622e28adf9ece39b9116a4efe7e5283485c6dee1069689
SHA3-384 hash: 02561e91c6e4cbac6617b3eee6c20d94b6fda50882000832ecf9d2d442b2d536b39c2e9e92478f8d914d4efdb4eab8ab
SHA1 hash: 2882772726f72de9507eeb0cb6e689a21da3875e
MD5 hash: c04c690294b235ee97c62ba378b09a45
humanhash: india-delta-louisiana-fruit
File name:SecuriteInfo.com.Trojan.PackedNET.375.24708.7902
Download: download sample
Signature AgentTesla
File size:675'840 bytes
First seen:2020-08-01 19:28:37 UTC
Last seen:2020-08-02 07:32:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:0FFpHq2/7Bwx9qIvfE1rmzifjBto+HvcsU9vuBro84AdL2AKAijSNfbjvC6Rt3el:4FpH/9mzWBto+PkBuBk84+ajSNvgtE
TLSH C4E41A3C7BC1A82ADF3E093244A56AD0A371A5472B12C74F76C717AC9F026DB3F16166
Reporter @SecuriteInfoCom
Tags:AgentTesla

Intelligence


File Origin
# of uploads :
2
# of downloads :
22
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %temp% directory
Sending a UDP request
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
80 / 100
Signature
Found malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Threat name:
Win32.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-07 00:43:18 UTC
AV detection:
23 of 31 (74.19%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer family:agenttesla
Behaviour
AgentTesla Payload
Agenttesla family

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Comments