MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 588cf49880e13ebf52438e8377d7c959fed298143f7a9fcc000cd654cb01e778. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 7 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 588cf49880e13ebf52438e8377d7c959fed298143f7a9fcc000cd654cb01e778
SHA3-384 hash: 429a5a8d786bc8c4b95542ef0c3d2735f93ef1f5321630186ac253feac35a9b8ecd2e94834768b474f46597451ff9955
SHA1 hash: db5ae10955b0743f89a7664471462fcdd83e49d6
MD5 hash: dffdcf20552daf8cfd494b24b6734f26
humanhash: hamper-connecticut-queen-tennessee
File name:NEW INQUIRIES.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:449'024 bytes
First seen:2021-09-03 10:59:12 UTC
Last seen:2021-09-03 13:40:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:y0cafVVIoKM2QUZ4G5p07maVwlpl+zroYzRg:y0cafVVxvUyGn9uwl
Threatray 10'507 similar samples on MalwareBazaar
TLSH T112A4CF9C765072EFC867C936CEA45C24EA60687B531BD307A45322AD9E0D6DBCF124F2
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
291
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
NEW INQUIRIES.exe
Verdict:
Suspicious activity
Analysis date:
2021-09-03 10:59:47 UTC
Tags:
keylogger stealer agenttesla
Link:
https://app.any.run/tasks/539286db-bb4e-40ee-91ad-5535ea6669e4

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/185158/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/d83b5502-f06d-4669-b585-651dde426956
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/844766
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 477197 Sample: NEW INQUIRIES.exe Startdate: 03/09/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for submitted file 2->51 53 Yara detected AgentTesla 2->53 55 7 other signatures 2->55 6 NEW INQUIRIES.exe 3 2->6         started        10 newapp.exe 3 2->10         started        12 newapp.exe 2 2->12         started        process3 file4 29 C:\Users\user\...29EW INQUIRIES.exe.log, ASCII 6->29 dropped 57 Injects a PE file into a foreign processes 6->57 14 NEW INQUIRIES.exe 2 9 6->14         started        19 NEW INQUIRIES.exe 6->19         started        59 Multi AV Scanner detection for dropped file 10->59 61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->61 63 Machine Learning detection for dropped file 10->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->65 21 newapp.exe 2 10->21         started        23 newapp.exe 10->23         started        25 newapp.exe 2 12->25         started        27 newapp.exe 12->27         started        signatures5 process6 dnsIp7 35 us2.smtp.mailhostbox.com 208.91.198.143, 49723, 49724, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->35 37 192.168.2.1 unknown unknown 14->37 39 smtp.kemede.com 14->39 31 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->31 dropped 33 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->33 dropped 41 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->41 43 Tries to steal Mail credentials (via file access) 14->43 45 Tries to harvest and steal ftp login credentials 14->45 47 3 other signatures 14->47 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/588cf49880e13ebf52438e8377d7c959fed298143f7a9fcc000cd654cb01e778/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-09-03 07:51:25 UTC
AV detection:
11 of 41 (26.83%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lcgpjgea4e7l6usdr2bxpv6jlh7nfgauh55j7taabtlfjsyb454a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4585e13fe4d4307e82e693c3063bf53ea84591b843c0ae59fefc0f4086ec86db
AgentTesla
590d1a6a1fa00812284d4f5e4f47cb34d4965c79bfc9ec1741f2a8e14967719b
AgentTesla
61d4dd89bcb94b321942a0ebc30ad2319411eff15bc24ab4769fd00a20a92188
AgentTesla
90c016c8affd8f058d6f190169aad49f6394cdf444aad8c0abc350df6553d447
AgentTesla
c1429303621a21dde308369b2c19b782b5c8c23e8993a2dd39f73ce119c60dd0
AgentTesla
dad6cf0986db0d1a9b5b952e67604f253a1a5458cb63e7d638a8359180952589
AgentTesla
ebdb5f9167c925da14a5783a022be63ac4daeeb7515692c7cd50c37a7851e7e4
AgentTesla
f349ed3a3e5bab8bc5694ba8885e6717c049064394682b240afe62ede7f67a9e
AgentTesla
+ 10'497 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210903-m3zf4agbbm/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
4865fc7bc1c45cf8eede9afd3e73fa69e145fa321644727ef43de60ecde115d3
MD5 hash:
0a088b229b483427cbd8be953c147d8b
SHA1 hash:
c1ef087484c5e7f449a7e6328d594750cdc0a4ed
Link:
https://www.unpac.me/results/999038f3-2f09-4f96-9a7a-5cf1217542d8/
SH256 hash:
7b521a0506ee7e12a1416d1ea05351e97fcdeedaca9a92de69b0e7d1ae4b3f0f
MD5 hash:
43328cd53e21a482345ffe640fba903e
SHA1 hash:
21bfff13a20b1781adf1a6fc0c24809054f5f93e
Link:
https://www.unpac.me/results/999038f3-2f09-4f96-9a7a-5cf1217542d8/
SH256 hash:
295e42178b7e9ef3605e37ca5a03937fef4b539b119051c092976fac8acfec0d
MD5 hash:
6f0b7fa3faa9e2b937a45b8e8be9b6da
SHA1 hash:
15261f8c9795be79da07f20220c2ad281fda4549
Link:
https://www.unpac.me/results/999038f3-2f09-4f96-9a7a-5cf1217542d8/
SH256 hash:
588cf49880e13ebf52438e8377d7c959fed298143f7a9fcc000cd654cb01e778
MD5 hash:
dffdcf20552daf8cfd494b24b6734f26
SHA1 hash:
db5ae10955b0743f89a7664471462fcdd83e49d6
Link:
https://www.unpac.me/results/999038f3-2f09-4f96-9a7a-5cf1217542d8/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/588cf49880e1/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/588cf49880e13ebf52438e8377d7c959fed298143f7a9fcc000cd654cb01e778

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 588cf49880e13ebf52438e8377d7c959fed298143f7a9fcc000cd654cb01e778

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/185158/

Comments