MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 637149f0fb9933d264b501d66162e17eb6a5b715b8976e7f031d2c8261e7c17e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	637149f0fb9933d264b501d66162e17eb6a5b715b8976e7f031d2c8261e7c17e
SHA3-384 hash:	8f4a52b672cbdd1802548650e4ef496835b603ecc6bd558200b8b6c01a750e296ba04e493f1beb4fa6710ca5610f226a
SHA1 hash:	c3b4a854e917b693060c831be1ac690cfa26e4e7
MD5 hash:	82f88ff951b932ae1410a087a4be0a89
humanhash:	cola-nevada-mobile-michigan
File name:	outstanding payment pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	922'112 bytes
First seen:	2021-01-03 10:46:02 UTC
Last seen:	2021-01-04 14:51:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:b5ybF7AtbHLPqopXfijvtKIVA9gXoLD7pa27g4gNYBNSrK8xv+Ui6kAYg7Cthju:b5yqtbHLPZ6B6gX4ow0fxvAV3Vvj
Threatray	2'714 similar samples on MalwareBazaar
TLSH	E315CF127FA58A11F2BE6736C96A414047F0BD02A5A2D73FBDF4305D4872B80B935B7A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: cnpiecsb.com
Sending IP: 185.222.57.185
From: Accounts Department<Shuvahsis@cnpiecsb.com>
Subject: T/T payment of EUR 11,631.35
Attachment: outstanding payment pdf.z (contains "outstanding payment pdf.exe")

AgentTesla SMTP exfil server:
mail.greatgoldenqlory.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

231

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

outstanding payment pdf.exe

Verdict:

Malicious activity

Analysis date:

2021-01-03 10:49:02 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/43f8cb3c-fb9a-44ad-bfe8-ff6d5cedbd86

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/110335/

Detection(s):

SecuriteInfo.com.Variant.MSILHeracles.9005.22435.6340.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Enabling the 'hidden' option for recently created files

Adding an access-denied ACE

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/573051

Signature

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/637149f0fb9933d264b501d66162e17eb6a5b715b8976e7f031d2c8261e7c17e/

Threat name:

ByteCode-MSIL.Trojan.Heracles

Status:

Malicious

First seen:

2021-01-03 07:45:57 UTC

AV detection:

18 of 28 (64.29%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=mnyut4h3tez5ezfvahlgcyxbp23klnyvxclw47ydduwieyphyf7a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

268f89bd4548d21dd1f6133a394327691e479443003cb92cdf9c0568a6b3ec41

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

5af4dfcb3e6c84a81b3c51962c9f32a5f24ebed2edefa5b12f1965ad6ce84619

AgentTesla

5f660b3ade2f06e699063a8ea77f25509dc4ea949bb8b590fefe22d94b70bbed

AgentTesla

642dfced9844802f4388b3c2f30e08d9a1c94f2507e7277d900756b284d37ca1

AgentTesla

69049cb94657b71040281c6906d20d60a4fe48b5c5ecdf2032980e1e898e550c

AgentTesla

db1bb2a6d7136c4c38bdc25d98b7b328b79837a027034b7f2d30c58f92ff6064

AgentTesla

dd5a14637f0373f0833e003675e13c4039423d402013d89d85ea345c5d2df963

AgentTesla

e657ffb001754315f6a10d766882fc481809a576fde55ff1f0158b793beac202

AgentTesla

+ 2'704 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210103-rmmzbyjygx/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

637149f0fb9933d264b501d66162e17eb6a5b715b8976e7f031d2c8261e7c17e

MD5 hash:

82f88ff951b932ae1410a087a4be0a89

SHA1 hash:

c3b4a854e917b693060c831be1ac690cfa26e4e7

Link:

https://www.unpac.me/results/39215da6-acba-4a37-a20f-82f4ad1bd677/

SH256 hash:

3b145c1ace9b3acbed3d2c34a0417263e20022c5d51bd4310f4bcf76a33aec64

MD5 hash:

31ecf276a5e6c8de9e9dedf0433d1981

SHA1 hash:

0b971eea88b4a456ae2060173ef3f77489fe39f8

Link:

https://www.unpac.me/results/39215da6-acba-4a37-a20f-82f4ad1bd677/

SH256 hash:

830bdd0826b2d303a26d39529c93dc95e26a7a831b76c8ddcd18f2bc62838ab1

MD5 hash:

f8347ddf9a234617f3901c0e348d3fe5

SHA1 hash:

3cb7c715f6a4eb0b49ca4485458b69abdee51b04

Link:

https://www.unpac.me/results/39215da6-acba-4a37-a20f-82f4ad1bd677/

SH256 hash:

44106a7753790a12c522849b3f7da238337bd0342e5664021e25f79b2705ae9a

MD5 hash:

d43e8dcc8f8b23c144f820eaa9bdbee4

SHA1 hash:

41faa61eb543ac1386e59ef1e3c485a19458ff68

Link:

https://www.unpac.me/results/39215da6-acba-4a37-a20f-82f4ad1bd677/

SH256 hash:

5dc943eba4dde6bd4507c179144e18d3e4781b3781c6f3656e7495a8431645b6

MD5 hash:

c974f73b0fa1fdb0ac7c6a34322ca952

SHA1 hash:

4e9abe17bd7eef9542c60db2d63f31240f6dae4c

Link:

https://www.unpac.me/results/39215da6-acba-4a37-a20f-82f4ad1bd677/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/637149f0fb9933d264b501d66162e17eb6a5b715b8976e7f031d2c8261e7c17e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	Ping_Del_method_bin_mem Create hunting rule
Author:	James_inthe_box
Description:	cmd ping IP nul del

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 20dd2e265b1136e9aff147208d6f3602023e16e1534fb38f1b1a318dffc473e6

AgentTesla

exe 637149f0fb9933d264b501d66162e17eb6a5b715b8976e7f031d2c8261e7c17e

(this sample)

Dropped by

MD5 f76dafd14032afb846fd06619d2bf89e

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/110335/

Dropped by

SHA256 20dd2e265b1136e9aff147208d6f3602023e16e1534fb38f1b1a318dffc473e6

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample