MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA File information Comments
Add tag Delete this sample Report a False Positive

SHA256 hash: 623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
SHA3-384 hash: 12bfc88d2bd0a589010df9de2655b626d12d70259f1ac3139b55346c1d05a40f61557f8726bd40343f9c3a20125871d8
SHA1 hash: 3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
MD5 hash: b70ffeb2babbacb28b22411beccb4642
humanhash: edward-cardinal-vermont-pluto
File name:Consignment Document PL&BL Draft.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:700'416 bytes
First seen:2020-12-03 08:30:02 UTC
Last seen:2020-12-03 14:13:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (28'877 x AgentTesla, 8'705 x Formbook, 4'202 x Loki)
ssdeep 12288:C2HV0CAO/8tsaZm/VGGNO332QplXGJi2o3TnCaR:C2HYBVm/MGillXe3szCa
Threatray 3'389 similar samples on MalwareBazaar
TLSH F0E4F1F23144E59AE8F70DB5791525903DB3B96F9AA0C38D78C8130E55F33024A96FAB
Reporter @abuse_ch
Tags:AgentTesla exe TNT


Twitter
@abuse_ch
Malspam distributing AgentTesla:

HELO: cloudhost-1555254.us-midwest-1.nxcli.net
Sending IP: 8.29.155.20
From: TNT EXPRESS® <service@tnt.com>
Subject: Consignment Notification: You have A Package With Us
Attachment: Consignment Document PLBL Draft.img (contains "Consignment Document PL&BL Draft.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
FR FR
Mail intelligence
Gathering data
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/106538/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.6091.13848.25559.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
DNS request
Connection attempt
Running batch commands
Creating a process with a hidden window
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Result
Gathering data
Result
Threat name:
Nanocore AgentTesla AsyncRAT
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/554406
Signature
.NET source code contains potential unpacker
Antivirus detection for dropped file
Detected Nanocore Rat
Detected unpacking (overwrites its own PE header)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: NanoCore
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected AsyncRAT
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 326301 Sample: Consignment Document PL&BL ... Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->74 76 Found malware configuration 2->76 78 Malicious sample detected (through community Yara rule) 2->78 80 15 other signatures 2->80 10 Consignment Document PL&BL Draft.exe 3 2->10         started        13 VLC2.exe 2->13         started        17 dhcpmon.exe 2->17         started        process3 dnsIp4 64 Consignment Document PL&BL Draft.exe.log, ASCII 10->64 dropped 19 Consignment Document PL&BL Draft.exe 5 10->19         started        68 centurygift.myq-see.com 13->68 92 Antivirus detection for dropped file 13->92 94 Multi AV Scanner detection for dropped file 13->94 96 Machine Learning detection for dropped file 13->96 file5 signatures6 process7 file8 52 C:\Users\user\AppData\...\Rczgwoxvqzh.exe, PE32 19->52 dropped 54 C:\Users\user\AppData\Local\Temp\Icda.exe, PE32 19->54 dropped 22 Rczgwoxvqzh.exe 6 19->22         started        26 Icda.exe 1 10 19->26         started        process9 dnsIp10 56 C:\Users\user\AppData\Local\...\Isgeprf.exe, PE32 22->56 dropped 58 C:\Users\user\AppData\...\Fdquqwatjjr.exe, PE32 22->58 dropped 82 Antivirus detection for dropped file 22->82 84 Multi AV Scanner detection for dropped file 22->84 86 Detected unpacking (overwrites its own PE header) 22->86 29 Fdquqwatjjr.exe 22->29         started        33 Isgeprf.exe 7 22->33         started        66 centurygift.myq-see.com 172.94.25.202, 5500, 5550 M247GB United States 26->66 60 C:\Program Files (x86)\...\dhcpmon.exe, PE32 26->60 dropped 62 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 26->62 dropped 88 Machine Learning detection for dropped file 26->88 90 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->90 file11 signatures12 process13 dnsIp14 70 flood-protection.org 85.187.154.178, 49739, 587 A2HOSTINGUS United States 29->70 72 mail.flood-protection.org 29->72 98 Antivirus detection for dropped file 29->98 100 Multi AV Scanner detection for dropped file 29->100 102 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 29->102 106 3 other signatures 29->106 50 C:\Users\user\AppData\Local\Temp\VLC2.exe, PE32 33->50 dropped 104 Machine Learning detection for dropped file 33->104 36 cmd.exe 33->36         started        38 cmd.exe 33->38         started        file15 signatures16 process17 process18 40 conhost.exe 36->40         started        42 timeout.exe 36->42         started        44 VLC2.exe 36->44         started        46 conhost.exe 38->46         started        48 schtasks.exe 38->48         started       
Detection:
n/a
Create hunting rule
Link:
https://mwdb.cert.pl/sample/623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 08:30:08 UTC
AV detection:
17 of 28 (60.71%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://www.spamhaus.org/query/hash/mi6xa7fllro4g6ffcaabryu7rckj6tvexzftjtbpynxbmevwqeaa._file
Verdict:
malicious
Label(s):
nanocorerat
Create hunting rule
asyncrat
Create hunting rule
agenttesla
Create hunting rule
Similar samples:
29dbd904452edf79122808dfb4810fcf8d089b8e298f68d48497c4b82ebcb1b1
AgentTesla
4192b46f43ae6f482490aa98fbd0690ff4974c677463c73a4230eaa70106b791
AgentTesla
68bf0a42854ac13fe13a75bb213f51934a3edc0fa7a0732ddb12a68699619474
AgentTesla
7da044c42ca2197b24b974350ae45f50ba9573714685c175026ff4a29a57973b
AgentTesla
7edb0b86650ff76c5b00c25c9f642bc4e163a946fe34efab15c0ea3cfee10c60
AgentTesla
90141bd6f0215103fb95009ef0336cbd17aa2e4e41ffa3aa2171f939234c0e32
AgentTesla
adb1948d6b4d965ee35ea8107b1128a9075d3548b61a72cfb35d0893d1f4ffaf
AgentTesla
b4aa35cb89fb4ee9c316d487f9b2964b6dd38144160e61a4141dbe28d44196b1
AgentTesla
ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135
AgentTesla
e843cd8a1f16a71c363c7b4f880c51c37b8e40404f4b09f49bf73f18fd357e52
AgentTesla
+ 3'379 additional samples on MalwareBazaar
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:asyncrat family:nanocore evasion keylogger persistence rat spyware stealer trojan
Link:
https://tria.ge/reports/201203-gxt95cb6rn/
Behaviour
Creates scheduled task(s)
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Drops file in Program Files directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Async RAT payload
AsyncRat
NanoCore
Malware Config
C2 Extraction:
:5550
centurygift.myq-see.com:5550
centurygift.myq-see.com:5500
Unpacked files
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
60a740f72ad065e06eea628dda884ca970fe70a10a8748b40df93b5f17217d41
MD5 hash:
0445a7c02e8acd28127a1b7fbf0dacd0
SHA1 hash:
7443acabaa4d9bf98da8f8b09a745f2a8131dc2a
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
f412f5dc4651b2410ac5fe20b207b9b9791ceae3653463e4ffb93840885091a1
MD5 hash:
0f9d42d75f30dd5263fc1a2a44a8c629
SHA1 hash:
b1a83ae278a66837662ad9b2081b39be8c0c2298
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
97a5cab2336f3b81f82d7ec85b2f0937ce39d10e512bf0bdade9248d6d1bc682
MD5 hash:
01475371c9519a0c8f64b7606a0833e0
SHA1 hash:
58de8246d2910f00ed1d4deabc69cf60d8ddcf8b
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
9589565f7beb6dccfe4f8424455271bbf810182ea94dacbc8c081577e34a51e1
MD5 hash:
bb21f995740d8bc1549d9cbc32874dd8
SHA1 hash:
8c53b645027362ec97c15735eeb39a12d62c8a74
Detections:
win_nanocore_w0
Create hunting rule
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
Parent samples :
ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135
7da044c42ca2197b24b974350ae45f50ba9573714685c175026ff4a29a57973b
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
9589565f7beb6dccfe4f8424455271bbf810182ea94dacbc8c081577e34a51e1
SH256 hash:
c0791632452fd17fdb08b4241ad7b6f5aaf1af6190861301135ef3631f4b4020
MD5 hash:
e8dc83a4ed7657d3211077b7f343fc3c
SHA1 hash:
0af6cb0ca0d55a2ec6626443b5d91f9c0d0c332c
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
488c59fddf2db00da7fb4d6589183adc7396edc4233f23eb950aa7191fe4366e
MD5 hash:
e2da4f42475e01f7961ef2fb929de54e
SHA1 hash:
e57df765da7135d578b29e4619cc395a729eb757
Detections:
win_asyncrat_w0
Create hunting rule
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
Parent samples :
ddaaa650d42caaed5ddd7c307b986cdccfc25bcb84c7a4f29f9fddd26add4135
7da044c42ca2197b24b974350ae45f50ba9573714685c175026ff4a29a57973b
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
488c59fddf2db00da7fb4d6589183adc7396edc4233f23eb950aa7191fe4366e
SH256 hash:
61e9d5c0727665e9ef3f328141397be47c65ed11ab621c644b5bbf1d67138403
MD5 hash:
bdc8945f1d799c845408522e372d1dbd
SHA1 hash:
874b7c3c97cc5b13b9dd172fec5a54bc1f258005
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
01e3b18bd63981decb384f558f0321346c3334bb6e6f97c31c6c95c4ab2fe354
MD5 hash:
9c8242440c47a4f1ce2e47df3c3ddd28
SHA1 hash:
874f3caf663265f7dd18fb565d91b7d915031251
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
f9b8c3f31375e9a1ec105f930f751869a804110d29d6b38e7298622eb74b2bec
MD5 hash:
42006852619847f368bc4062849cd6dc
SHA1 hash:
ba6edc3a5aba8eac15b6a30e1407cdae80b2481d
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
SH256 hash:
623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100
MD5 hash:
b70ffeb2babbacb28b22411beccb4642
SHA1 hash:
3c096e92894c9ff7bfae0fcc0ce5f250cb4ebe9f
Link:
https://www.unpac.me/results/b8feb195-98fa-4a80-861f-2fdc3cfac4cb/
AV coverage:
21.43%
AV detections:
15 / 70
Link:
https://www.virustotal.com/gui/file/623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100/detection/f-623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100-1606979334
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img d14e0a744f5fa81fadc381637e173b465752db623c24dc98a75bd350da37e7d7

AgentTesla

Executable exe 623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100

(this sample)

  
Dropped by
MD5 f925daf782826be42d26fdd38a7403b7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106538/
  
Dropped by
SHA256 d14e0a744f5fa81fadc381637e173b465752db623c24dc98a75bd350da37e7d7

Comments