MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 597b9eb83b3ce72eb2d98bbf4ab67fbbfcacef10de03636dc062a63b8480b40d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 597b9eb83b3ce72eb2d98bbf4ab67fbbfcacef10de03636dc062a63b8480b40d
SHA3-384 hash: d4f18f90b087bc06c570ac8490ee69d43eea1eb7be7bffc669b09c079838f09652a2b38679dffa3d724f22314e9aac65
SHA1 hash: 747414ae57c28b2d02ed27c57b9a16faab43b0a6
MD5 hash: 4091a790d15891ac41c253a8c7f13fe8
humanhash: skylark-island-london-mango
File name:Invoice FNR Marketing - RWP 07.28.20.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:419'840 bytes
First seen:2020-07-28 13:10:53 UTC
Last seen:2020-07-28 14:07:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c458ff2d515beb8f44158cd3636a7400 (19 x AgentTesla, 6 x NetWire, 3 x HawkEye)
ssdeep 12288:Y53qnltuxTMfLmyfbAfy2KiWmgFMhXwV:Y5anl1KyfQOmgCA
Threatray 12'030 similar samples on MalwareBazaar
TLSH 329423B9524251A2D5AC087B26F60DC00339A4A18107372A7D005E77BDF59EFEFE9B85
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
webmail.aurianet.com:587

AgentTesla SMTP exfil email address:

Intelligence

File Origin
# of uploads :
2
# of downloads :
72
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/33652/
Detection(s):
PUA.Win.Packer.Upx-49
Create hunting rule

PUA.Win.Packer.UpxProtector-1
Create hunting rule

PUA.Win.Packer.Upolyx-12
Create hunting rule

PUA.Win.Packer.Upx-6
Create hunting rule

PUA.Win.Packer.Upx-4
Create hunting rule

PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Launching a process
Sending a custom TCP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun with Startup directory
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/400330
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Delayed program exit found
Drops VBS files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 252519 Sample: Invoice FNR Marketing - RWP... Startdate: 28/07/2020 Architecture: WINDOWS Score: 100 35 Found malware configuration 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 39 Multi AV Scanner detection for submitted file 2->39 41 9 other signatures 2->41 7 Invoice FNR Marketing - RWP 07.28.20.exe 2->7         started        10 wscript.exe 1 2->10         started        12 wuapihost.exe 2->12         started        process3 signatures4 43 Writes to foreign memory regions 7->43 45 Allocates memory in foreign processes 7->45 47 Maps a DLL or memory area into another process 7->47 49 Queues an APC in another process (thread injection) 7->49 14 Invoice FNR Marketing - RWP 07.28.20.exe 4 7->14         started        18 notepad.exe 1 7->18         started        20 Invoice FNR Marketing - RWP 07.28.20.exe 7->20         started        22 Invoice FNR Marketing - RWP 07.28.20.exe 10->22         started        process5 dnsIp6 33 webmail.aurianet.com 185.73.178.56, 49734, 587 HOSTISOFTES Spain 14->33 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->51 53 Tries to steal Mail credentials (via file access) 14->53 55 Tries to harvest and steal ftp login credentials 14->55 57 Tries to harvest and steal browser information (history, passwords, etc) 14->57 59 Drops VBS files to the startup folder 18->59 61 Delayed program exit found 18->61 63 Maps a DLL or memory area into another process 22->63 24 notepad.exe 1 22->24         started        27 Invoice FNR Marketing - RWP 07.28.20.exe 4 22->27         started        29 Invoice FNR Marketing - RWP 07.28.20.exe 22->29         started        signatures7 process8 file9 31 C:\Users\user\AppData\Roaming\...\startup.vbs, ASCII 24->31 dropped
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/597b9eb83b3ce72eb2d98bbf4ab67fbbfcacef10de03636dc062a63b8480b40d/
Threat name:
Win32.Trojan.FormBook
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 13:12:08 UTC
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=lf5z5ob3htts5mwzro7uvnt7xp6kz3yq3ybwg3oamktdxbeawqgq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
3117dd759398a481d1664d1731ebc73fe140ac04e711b19a8a8bb6a22d607f3d
AgentTesla
3ddfcc0ce0a57e7f3131d0ba603d6516f00c6cf94f67e79ab38a7e8f922f74bc
AgentTesla
3de5c485f705f1cdf6088142033fb366aafa369044f74cf5a01a8c3517daa831
AgentTesla
6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099
AgentTesla
7a477a446769be5e8f006df9f0b2a77439d269acca020f44954ec93a98252164
AgentTesla
bdd58945c015cf8970e40484af0b845138ec92d56f797d5cc2d17338b84a73a3
AgentTesla
d16be9bd809afa992d073da2f25af20fc450b33d9e645de51ea086b5c8f07978
AgentTesla
d6ade904fb2225703807124276b3c9f8eeeb737d7f44aacc82eb63eee77cfa5d
AgentTesla
ec6cfe036b88320b3208921df633e7ec0e1fbd3353e6fdc9d621d5cce1b9a27d
AgentTesla
f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d
AgentTesla
+ 12'020 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx
Link:
https://tria.ge/reports/200728-l3s6vwhscj/
Behaviour
UPX packed file
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/597b9eb83b3ce72eb2d98bbf4ab67fbbfcacef10de03636dc062a63b8480b40d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:suspicious_packer_section
Create hunting rule
Author:@j0sm1
Description:The packer/protector section names/keywords
Reference:http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/33652/

Comments