MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 677f87ed7f90d728e6cf4b15625778cd7ccb0fab76e39f06a5888046532c4639. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 15


Intelligence 15 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 677f87ed7f90d728e6cf4b15625778cd7ccb0fab76e39f06a5888046532c4639
SHA3-384 hash: df67fe59eef433cdd8f168bed85eb866773b3d21a2f09981c57ab37e052d03303d3560fa3df4aaabfad5eb628b225c1e
SHA1 hash: fd37af7ce04d523ba3d56799cbc6f1553c98304b
MD5 hash: 2d75d2ea7a69a5ddf9187e2720cd7096
humanhash: illinois-winter-carbon-venus
File name:order - 922 - LongWay..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:455'168 bytes
First seen:2022-01-18 10:31:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:iekRRRRRERddHnolSPhoHdZsnsAlZAJD29tDSLfMY8poy:/kRRRRRERddHYYoHKbAt27iy
Threatray 14'102 similar samples on MalwareBazaar
TLSH T175A4132F429CA643C5B34BB9F4A1204C63F4C65B7731E78C4685F2AE2E81BD14E166E7
Reporter GovCERT_CH
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
164
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
order - 922 - LongWay..exe
Verdict:
Suspicious activity
Analysis date:
2022-01-18 10:51:48 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6e4bcebe-9145-4e40-abe4-bfd90d9d202e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/220088/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61e69728d32385db63011861/reports/ed3abc87-7a8b-429f-a126-b34b910d1d9c/overview
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/954c7db5-498d-44be-8d64-d877b0390050
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/922287
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 554761 Sample: order - 922 -#U00a0LongWay..exe Startdate: 18/01/2022 Architecture: WINDOWS Score: 100 34 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->34 36 Found malware configuration 2->36 38 Yara detected AgentTesla 2->38 40 7 other signatures 2->40 6 order - 922 -#U00a0LongWay..exe 3 2->6         started        8 tKZVPq.exe 3 2->8         started        11 tKZVPq.exe 2 2->11         started        process3 signatures4 13 order - 922 -#U00a0LongWay..exe 2 5 6->13         started        42 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->44 18 tKZVPq.exe 2 8->18         started        20 tKZVPq.exe 2 11->20         started        process5 dnsIp6 28 demo.jeninfo.com 103.195.185.115, 49824, 587 PUBLIC-DOMAIN-REGISTRYUS India 13->28 30 mail.demo.jeninfo.com 13->30 32 192.168.2.1 unknown unknown 13->32 22 C:\Users\user\AppData\Roaming\...\tKZVPq.exe, PE32 13->22 dropped 24 C:\Windows\System32\drivers\etc\hosts, ASCII 13->24 dropped 26 C:\Users\user\...\tKZVPq.exe:Zone.Identifier, ASCII 13->26 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->46 48 Tries to steal Mail credentials (via file / registry access) 13->48 50 Tries to harvest and steal ftp login credentials 13->50 52 3 other signatures 13->52 file7 signatures8
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/677f87ed7f90d728e6cf4b15625778cd7ccb0fab76e39f06a5888046532c4639/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2022-01-18 10:32:09 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=m57yp3l7sdlsrzwpjmkwev3yzv6mwd5lo3rz6bvfrcaemuzmiy4q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0974d2f5ff0dcf2ce40a1c624bc4c586baec6ba6367dbd782f862bcc18ad85c9
AgentTesla
15bc03df7d5a650a79d71a458761aa22c05ab3a22bf451c723d2851a86b60418
AgentTesla
27ff4d7994a19e27c347e7794e0e48fa5c66f36e4f27ab407f9044494dd8c5a5
AgentTesla
3cbf94c22af49ad9be152750428263c826c9b020036a0321f10f9fe2eed6ae52
AgentTesla
86424b83a78d744d1f61082abfe210f13bc14684dc02fff3794b0d5a6d9078c0
AgentTesla
a10c8f6f2e5f9d2b4654edfca38d5d1ed998bab6840e67a8a2b08f6e938272f5
AgentTesla
a16f475c93da510d109b982cd2153a0a60e37b85c2549cc0c6c2fb8a70c736d1
AgentTesla
af6d1f6a274a8eb43f9f515f9a5b99fa0163237794d6b27d6f9658b1b1615c11
AgentTesla
f2179971d7a45be56da4188b09ef676fea06722eadfea5065694ac70f4c7ecce
AgentTesla
+ 14'092 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/220118-mkzddaaga4/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
8995963e6cd0f365fc545572145fbe99132b3a2a4311deb1de6be6cf676f54da
MD5 hash:
9d0dcb3ac59dcf93c703cf2a96b6d8d3
SHA1 hash:
1c58a237720c3236ecd7dcdd3749400c133ee6aa
Link:
https://www.unpac.me/results/53912945-fde1-4bf2-90e2-aa8bb2d417f8/
SH256 hash:
894699c61bf8eedc774adea2141ed42a366b7347cca919df556ee0e1906a24bb
MD5 hash:
497dc78c25ccfa371dd30a0024b49222
SHA1 hash:
16cd281bbcc466583725bcf42c2c40c96267b1c5
Link:
https://www.unpac.me/results/53912945-fde1-4bf2-90e2-aa8bb2d417f8/
SH256 hash:
b75ec5e79a2950e55aa7849e13404e8c9306256e6b9355089da890e6b6e14996
MD5 hash:
d6b3f5aab08853bead8975532594a6d7
SHA1 hash:
040aa10a04d0223b4593e133b8904b5fe9fbe83c
Link:
https://www.unpac.me/results/53912945-fde1-4bf2-90e2-aa8bb2d417f8/
SH256 hash:
677f87ed7f90d728e6cf4b15625778cd7ccb0fab76e39f06a5888046532c4639
MD5 hash:
2d75d2ea7a69a5ddf9187e2720cd7096
SHA1 hash:
fd37af7ce04d523ba3d56799cbc6f1553c98304b
Link:
https://www.unpac.me/results/53912945-fde1-4bf2-90e2-aa8bb2d417f8/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/677f87ed7f90/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/677f87ed7f90d728e6cf4b15625778cd7ccb0fab76e39f06a5888046532c4639

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 677f87ed7f90d728e6cf4b15625778cd7ccb0fab76e39f06a5888046532c4639

(this sample)

  
Dropped by
agenttesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/220088/

Comments