MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4
SHA3-384 hash: b666e2a6fa3b35c72b4e48841c90832a134dd754a29dca429b8c171668fdf3d9004d7bae90b112ac9cc71d7204928a4b
SHA1 hash: 003e1c1c71106f330c8fc332f795d46a1e3cf716
MD5 hash: 3dfd654e06b2e38ec01f88db27abc717
humanhash: moon-two-violet-oregon
File name:PAYRECEIPT.cmd
Download: download sample
Signature AgentTesla
Create hunting rule
File size:42'992 bytes
First seen:2021-02-22 23:05:50 UTC
Last seen:2021-02-26 05:16:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'748 x AgentTesla, 19'643 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 768:V6wF2v4MBy7GKywIbFson32tN/WVnX5n4/AAR65Dqh2:EwFS4yy7GK3AsonXVGvR65Dz
Threatray 2'799 similar samples on MalwareBazaar
TLSH 9B13D8A944537414E5EB0A7129A1FD743B2CA7705854E00EE022A15CCFC6AFB74DEEEE
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
7
# of downloads :
137
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYRECEIPT.cmd
Verdict:
Malicious activity
Analysis date:
2021-02-22 15:21:46 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4ab9cfc8-95be-4e0d-bb37-249945ec350f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
DLAgent06
Create hunting rule
Link:
https://www.capesandbox.com/analysis/118422/
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.36385701.20458.10913.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Creating a file
Creating a window
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Using the Windows Management Instrumentation requests
Sending a UDP request
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Setting a single autorun event
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Moving of the original file
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/614698
Signature
Adds a directory exclusion to Windows Defender
Binary contains a suspicious time stamp
Changes security center settings (notifications, updates, antivirus, firewall)
Creates multiple autostart registry keys
Drops PE files with benign system names
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: Suspicious Program Location Process Starts
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356356 Sample: PAYRECEIPT.cmd Startdate: 23/02/2021 Architecture: WINDOWS Score: 100 59 mail.royalhotelapartmentet.com 2->59 61 royalhotelapartmentet.com 2->61 73 Multi AV Scanner detection for submitted file 2->73 75 Yara detected AgentTesla 2->75 77 Sigma detected: Suspicious Program Location Process Starts 2->77 79 6 other signatures 2->79 9 PAYRECEIPT.exe 17 6 2->9         started        14 explorer.exe 2->14         started        16 explorer.exe 2->16         started        18 14 other processes 2->18 signatures3 process4 dnsIp5 63 coroloboxorozor.com 104.21.71.230, 49716, 49731, 49735 CLOUDFLARENETUS United States 9->63 55 C:\Users\Public\Documents\...\svchost.exe, PE32 9->55 dropped 57 C:\Users\...\svchost.exe:Zone.Identifier, ASCII 9->57 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->95 97 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->97 99 Creates multiple autostart registry keys 9->99 105 3 other signatures 9->105 20 PAYRECEIPT.exe 2 5 9->20         started        24 WerFault.exe 9 9->24         started        26 cmd.exe 1 9->26         started        33 2 other processes 9->33 28 svchost.exe 14->28         started        31 svchost.exe 16->31         started        65 127.0.0.1 unknown unknown 18->65 101 Multi AV Scanner detection for dropped file 18->101 103 Changes security center settings (notifications, updates, antivirus, firewall) 18->103 file6 signatures7 process8 dnsIp9 49 C:\Users\user\AppData\Roaming\...\CZVkY.exe, PE32 20->49 dropped 51 C:\Users\user\...\CZVkY.exe:Zone.Identifier, ASCII 20->51 dropped 81 Moves itself to temp directory 20->81 83 Creates multiple autostart registry keys 20->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 20->85 53 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 24->53 dropped 35 conhost.exe 26->35         started        37 timeout.exe 1 26->37         started        67 172.67.172.17, 49726, 49729, 80 CLOUDFLARENETUS United States 28->67 69 coroloboxorozor.com 28->69 87 Multi AV Scanner detection for dropped file 28->87 89 Adds a directory exclusion to Windows Defender 28->89 91 Hides threads from debuggers 28->91 39 powershell.exe 28->39         started        41 cmd.exe 28->41         started        71 coroloboxorozor.com 31->71 93 System process connects to network (likely due to code injection or exploit) 31->93 43 conhost.exe 33->43         started        file10 signatures11 process12 process13 45 conhost.exe 39->45         started        47 conhost.exe 41->47         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-22 17:29:31 UTC
AV detection:
14 of 29 (48.28%)
Threat level:
  3/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lbsat2mk3zxhkth3uc6qv3boq2ikscoedtv2yqefzllpphmwo22a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
65b75cee62573656b9a894f439da073433c735e6c7bb539321194f95cd5a8074
AgentTesla
7a39af512f69ee9235b6b5e199beb2313a42ce4d6ec9b610c6e54a131c415bd8
AgentTesla
8905819fcaa0d71e50cc1ec90e32258967e011878efb78f8db8893ad04a98174
AgentTesla
98712ca737a8d8cddc09bd41dbae64ccc816d5a846da270615108bac7023e19d
AgentTesla
acf949e60ec1fa015f83ea1d7caa8810bc0ccb28b99cab88f3d162819a526cab
AgentTesla
c5346cc75271fe0e7f133be6d6a7cf731cf1e88b68ff7c9b031a6da67c172f8d
AgentTesla
d8c590e11c422a5cf6b2a1f8ddceee64805d063739d0e83c234bdcabae9e3700
AgentTesla
e40b50918c860d686479a98167208e4104471d38708d82f267b4cedc4242ace2
AgentTesla
fd9b51a831b2bebf0dbb8729527ebcfc32c927e0b6f9911b31bf29dfaf181d0d
AgentTesla
fe378f1e009b2b77c3e08de81d767a79fee3bce433810158b3be3d470baac6b7
AgentTesla
+ 2'789 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210222-thxaxnw1le/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
AgentTesla Payload
AgentTesla
Windows security bypass
Unpacked files
SH256 hash:
586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4
MD5 hash:
3dfd654e06b2e38ec01f88db27abc717
SHA1 hash:
003e1c1c71106f330c8fc332f795d46a1e3cf716
Link:
https://www.unpac.me/results/7d5c730a-97d2-4eb0-820e-b0678f8d0d86/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 6b6e364893e256f77caf6854f61259715d1095097decf28e3e73f54d7008e309

AgentTesla

Executable exe 586409e98ade6e754cfba0bd0aec2e8690a909c41cebac4085cad6f79d9676b4

(this sample)

  
Dropped by
MD5 44f23964b6a374348a68ec0f664c4cab
  
Dropped by
SHA256 6b6e364893e256f77caf6854f61259715d1095097decf28e3e73f54d7008e309
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/118422/

Comments