MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7147d27de46b5d4ee9f129fb3ecd22eb69a94a1cc41c831f309ab61492cb8e74. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 4 File information Comments

SHA256 hash:	7147d27de46b5d4ee9f129fb3ecd22eb69a94a1cc41c831f309ab61492cb8e74
SHA3-384 hash:	c0eaf02b8de6dc3409cbdf7a47019fcc896a93ca63774d42b0e3e820ea54695cafd238bee8a42a40fe3ffdce7f0a1ce9
SHA1 hash:	b13866d42c0e04557b13b2d4dcd6aa798a76c7eb
MD5 hash:	0314935df73b87c0ed9fd49cc3e85adb
humanhash:	angel-virginia-spring-papa
File name:	PAYMENT SCHELDULE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	491'520 bytes
First seen:	2020-09-10 05:26:11 UTC
Last seen:	2020-09-10 06:43:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep	12288:elZw+eA1TLUO2nqjBClqDyEn57Dfyi6hko/YJRV21jieG5nE6x:eTx1TLU/nCBCuyEn57Dai6hGzsHaE6
Threatray	10'534 similar samples on MalwareBazaar
TLSH	64A423684955B5E3DAE07BB5524988F881BBD017F4081E076F57EE880E3C8979BF870B
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/58272/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Moving of the original file

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/462829

Signature

Contains functionality to detect sleep reduction / modifications

Executable has a suspicious name (potential lure to open the executable)

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Moves itself to temp directory

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/7147d27de46b5d4ee9f129fb3ecd22eb69a94a1cc41c831f309ab61492cb8e74/

Threat name:

Win32.Trojan.Kryptik

Status:

Malicious

First seen:

2020-09-10 03:02:55 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ofd5e7pennou52prfh5t5tjc5nu2ssq4yqoighzqtk3bjewlrz2a._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

254c1b8ff86ebe8a88aacb3172ea4c05289dc129d3364189bcdfd097e5f5ef6f

AgentTesla

6b2503a98a3f1b29173e7e42867b4ac5e21a825348b791ad4a6ea12966720514

AgentTesla

6c23d5aac98c05cf9faca072f1875f7fcde253a4a782dda7d897681bda6f92d9

AgentTesla

869e8a26e04953a411e7454c800e022bbbb3825320ab6e3935213357789f0844

AgentTesla

a9103ccf2939a9a9b54d8c50aa993af6fcf3ddda4e0491f1987fe09a83f98ab3

AgentTesla

c5e5b876e4f9963e75d86311ae11ccef749f3d7c77ad038a69e9f338294b0a9c

AgentTesla

ee7d22a474155d5a7b3e6fd89bee93170b4da713db4b65ad6252ef6a73636598

AgentTesla

f64f6cdf34223961fe65653d8fd5d66dc2fdc3e5d56422cdc5923765f78cf47d

AgentTesla

f7fe3c3f88aef6e3994fb4fd091930f5870998c1de9785c65b1294718563af97

AgentTesla

+ 10'524 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/200910-267n4j1l16/

Behaviour

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Barys

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7147d27de46b5d4ee9f129fb3ecd22eb69a94a1cc41c831f309ab61492cb8e74

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/