MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments

SHA256 hash: 623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
SHA3-384 hash: 12bfc88d2bd0a589010df9de2655b626d12d70259f1ac3139b55346c1d05a40f61557f8726bd40343f9c3a20125871d8
SHA1 hash: 3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
MD5 hash: b70ffeb2babbacb28b22411beccb4642
humanhash: edward-cardinal-vermont-pluto
File name:Consignment Document PL&BL Draft.exe
Download: download sample
Signature AgentTesla
File size:700'416 bytes
First seen:2020-12-03 08:30:02 UTC
Last seen:2020-12-03 14:13:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (28'877 x AgentTesla, 8'705 x Formbook, 4'202 x Loki)
ssdeep 12288:C2HV0CAO/8tsaZm/VGGNO332QplXGJi2o3TnCaR:C2HYBVm/MGillXe3szCa
Threatray 3'389 similar samples on MalwareBazaar
TLSH F0E4F1F23144E59AE8F70DB5791525903DB3B96F9AA0C38D78C8130E55F33024A96FAB
Reporter @abuse_ch
Tags:AgentTesla exe TNT


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: cloudhost-1555254.us-midwest-1.nxcli.net
Sending IP: 8.29.155.20
From: TNT EXPRESS® <service@tnt.com>
Subject: Consignment Notification: You have A Package With Us
Attachment: Consignment Document PLBL Draft.img (contains "Consignment Document PL&BL Draft.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence


File Origin
# of uploads :
2
# of downloads :
131
Origin country :
FR FR
Mail intelligence
Gathering data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
DNS request
Connection attempt
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
Nanocore AgentTesla AsyncRAT
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326301 Sample: Consignment Document PL&BL ... Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 15 other signatures 2->80 10 Consignment Document PL&BL Draft.exe 3 2->10         started        13 VLC2.exe 2->13         started        17 dhcpmon.exe 2->17         started        process3 dnsIp4 64 Consignment Document PL&BL Draft.exe.log, ASCII 10->64 dropped 19 Consignment Document PL&BL Draft.exe 5 10->19         started        68 centurygift.myq-see.com 13->68 92 Antivirus detection for dropped file 13->92 94 Multi AV Scanner detection for dropped file 13->94 96 Machine Learning detection for dropped file 13->96 file5 signatures6 process7 file8 52 C:\Users\user\AppData\...\Rczgwoxvqzh.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\Temp\Icda.exe, PE32 19->54 dropped 22 Rczgwoxvqzh.exe 6 19->22         started        26 Icda.exe 1 10 19->26         started        process9 dnsIp10 56 C:\Users\user\AppData\Local\...\Isgeprf.exe, PE32 22->56 dropped 58 C:\Users\user\AppData\...\Fdquqwatjjr.exe, PE32 22->58 dropped 82 Antivirus detection for dropped file 22->82 84 Multi AV Scanner detection for dropped file 22->84 86 Detected unpacking (overwrites its own PE header) 22->86 29 Fdquqwatjjr.exe 22->29         started        33 Isgeprf.exe 7 22->33         started        66 centurygift.myq-see.com 172.94.25.202, 5500, 5550 M247GB United States 26->66 60 C:\Program Files (x86)\...\dhcpmon.exe, PE32 26->60 dropped 62 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 26->62 dropped 88 Machine Learning detection for dropped file 26->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->90 file11 signatures12 process13 dnsIp14 70 flood-protection.org 85.187.154.178, 49739, 587 A2HOSTINGUS United States 29->70 72 mail.flood-protection.org 29->72 98 Antivirus detection for dropped file 29->98 100 Multi AV Scanner detection for dropped file 29->100 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->102 106 3 other signatures 29->106 50 C:\Users\user\AppData\Local\Temp\VLC2.exe, PE32 33->50 dropped 104 Machine Learning detection for dropped file 33->104 36 cmd.exe 33->36         started        38 cmd.exe 33->38         started        file15 signatures16 process17 process18 40 conhost.exe 36->40         started        42 timeout.exe 36->42         started        44 VLC2.exe 36->44         started        46 conhost.exe 38->46         started        48 schtasks.exe 38->48         started       
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2020-12-03 08:30:08 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Result
Malware family:
nanocore
Score:
  10/10
Tags:
family:asyncrat family:nanocore evasion keylogger persistence rat spyware stealer trojan
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
NanoCore
Malware Config
C2 Extraction:
:5550
centurygift.myq-see.com:5550
centurygift.myq-see.com:5500
Unpacked files
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
SH256 hash:
60a740f72ad065e06eea628dda884ca970fe70a10a8748b40df93b5f17217d41
MD5 hash:
0445a7c02e8acd28127a1b7fbf0dacd0
SHA1 hash:
7443acabaa4d9bf98da8f8b09a745f2a8131dc2a
SH256 hash:
f412f5dc4651b2410ac5fe20b207b9b9791ceae3653463e4ffb93840885091a1
MD5 hash:
0f9d42d75f30dd5263fc1a2a44a8c629
SHA1 hash:
b1a83ae278a66837662ad9b2081b39be8c0c2298
SH256 hash:
97a5cab2336f3b81f82d7ec85b2f0937ce39d10e512bf0bdade9248d6d1bc682
MD5 hash:
01475371c9519a0c8f64b7606a0833e0
SHA1 hash:
58de8246d2910f00ed1d4deabc69cf60d8ddcf8b
SH256 hash:
9589565f7beb6dccfe4f8424455271bbf810182ea94dacbc8c081577e34a51e1
MD5 hash:
bb21f995740d8bc1549d9cbc32874dd8
SHA1 hash:
8c53b645027362ec97c15735eeb39a12d62c8a74
Detections:
win_nanocore_w0
SH256 hash:
c0791632452fd17fdb08b4241ad7b6f5aaf1af6190861301135ef3631f4b4020
MD5 hash:
e8dc83a4ed7657d3211077b7f343fc3c
SHA1 hash:
0af6cb0ca0d55a2ec6626443b5d91f9c0d0c332c
SH256 hash:
488c59fddf2db00da7fb4d6589183adc7396edc4233f23eb950aa7191fe4366e
MD5 hash:
e2da4f42475e01f7961ef2fb929de54e
SHA1 hash:
e57df765da7135d578b29e4619cc395a729eb757
Detections:
win_asyncrat_w0
SH256 hash:
61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
MD5 hash:
bdc8945f1d799c845408522e372d1dbd
SHA1 hash:
874b7c3c97cc5b13b9dd172fec5a54bc1f258005
SH256 hash:
01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
MD5 hash:
9c8242440c47a4f1ce2e47df3c3ddd28
SHA1 hash:
874f3caf663265f7dd18fb565d91b7d915031251
SH256 hash:
f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec
MD5 hash:
42006852619847f368bc4062849cd6dc
SHA1 hash:
ba6edc3a5aba8eac15b6a30e1407cdae80b2481d
SH256 hash:
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
MD5 hash:
b70ffeb2babbacb28b22411beccb4642
SHA1 hash:
3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100

(this sample)

  
Delivery method
Distributed via e-mail attachment

Comments