MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b
SHA3-384 hash: ef031255fcd9000414b1719c98bb4b1f2f4a53903c0f7a4643472851324b6586af9f97fd2e77ee93aaa971ab95092749
SHA1 hash: 29f3dd0b5dce262ab7cdf318df7523e508963541
MD5 hash: c3a5ba43f3c6b80f4ba41af853ba1eea
humanhash: wisconsin-colorado-november-yellow
File name:Current SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:900'096 bytes
First seen:2021-05-06 07:16:40 UTC
Last seen:2021-05-06 08:15:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'664 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:hL1fxhwL8mLAHefRIZtbVqrTwqEZbndWMWH+pLTfyXACaMuYvKZ:LZyJAH/ZtxqEZbIMO+NDQvs3Z
Threatray 4'813 similar samples on MalwareBazaar
TLSH 89159C04B7A45BE7C2CE43B9E19D271153F1D416B29EBB8B6948FAF93C9339189001E7
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151389/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.AATQ.32502.202.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713537
Signature
.NET source code contains potential unpacker
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 405694 Sample: Current SOA.exe Startdate: 06/05/2021 Architecture: WINDOWS Score: 100 45 Found malware configuration 2->45 47 Yara detected AgentTesla 2->47 49 Yara detected AgentTesla 2->49 51 7 other signatures 2->51 8 Current SOA.exe 18 8 2->8         started        process3 file4 31 C:\Users\user\AppData\...\Current SOA.exe, PE32 8->31 dropped 33 C:\Users\user\AppData\...\zKhqvggbxn.vbs, ASCII 8->33 dropped 35 C:\Users\...\Current SOA.exe:Zone.Identifier, ASCII 8->35 dropped 37 2 other files (1 malicious) 8->37 dropped 53 Writes to foreign memory regions 8->53 55 Injects a PE file into a foreign processes 8->55 12 Current SOA.exe 2 5 8->12         started        16 wscript.exe 1 8->16         started        18 AdvancedRun.exe 1 8->18         started        21 2 other processes 8->21 signatures5 process6 dnsIp7 39 C:\Users\user\AppData\Roaming\...\MSword.exe, PE32 12->39 dropped 41 C:\Users\user\...\MSword.exe:Zone.Identifier, ASCII 12->41 dropped 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 12->57 59 Wscript starts Powershell (via cmd or directly) 16->59 61 Adds a directory exclusion to Windows Defender 16->61 23 powershell.exe 16->23         started        43 192.168.2.1 unknown unknown 18->43 25 AdvancedRun.exe 18->25         started        27 AdvancedRun.exe 21->27         started        file8 signatures9 process10 process11 29 conhost.exe 23->29         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b/
Threat name:
ByteCode-MSIL.Downloader.Seraph
Create hunting rule
Status:
Malicious
First seen:
2021-05-06 01:17:42 UTC
AV detection:
2 of 47 (4.26%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=oghzazpjv73ufchghwaa5ebqk64itvkjcpem4j74pbm46jsdagfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2760abb67bdb754b7e7878df83549c332785054b337800e7598a4f394a81da12
AgentTesla
7a932297ce3ab50a8990b122a596afa1d4229fb47040eea10934f720c1aef210
AgentTesla
812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b
AgentTesla
a0dff0bf5eb951b2371c5ccdd3d5787c12990fd50a4fe5092d3e6d1286fec8e6
AgentTesla
a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc
AgentTesla
a8a9cb21be93047b223bd90d741d9eabdde0d1272f738f4c64720e5caceafe89
AgentTesla
abec75c995b6bac05ca3aa49002dedb12a4fc7194e93f814f3edbb996d9cfa7a
AgentTesla
af72dea6102f0d8aecc1f2b5963749e739606c200e6af52a7cecd6b1a8e7f29c
AgentTesla
cdb8cf995f8287a1f64cd035c4e34e047e23a3218dbf50b0fcf321ecd464094e
AgentTesla
dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9
AgentTesla
+ 4'803 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210506-hvs3r1ypxj/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
b04eba933c4f4f49bb573531e0f74cfa3c4d81677ad84c7166328088a1a88006
MD5 hash:
317463a0c371f331e23f4884559f1faf
SHA1 hash:
f6363317815d1d57bcd02f2a57974eb6fce38b3c
Link:
https://www.unpac.me/results/7cbbebc9-29c4-4440-a9c7-52d82041fdaf/
SH256 hash:
4a6c59e0cbecdb2085acd6abe21868b971bef442dfabee1966eba7d726361fe3
MD5 hash:
fd44dc1683ec11b0f8e123d4b67c6a91
SHA1 hash:
6b4eaf1c988758de5bb38b45576ab7036afd3e2d
Link:
https://www.unpac.me/results/7cbbebc9-29c4-4440-a9c7-52d82041fdaf/
SH256 hash:
ddd8690f88657df31609fdc336feeb732e4385eacc62bd7a4b2caf35c775877c
MD5 hash:
da0f9b96d60908066bdf71169eab0b37
SHA1 hash:
59c9773b17123dedaa55021a90b8ef4b9d94e33a
Link:
https://www.unpac.me/results/7cbbebc9-29c4-4440-a9c7-52d82041fdaf/
SH256 hash:
e8882eb2d37f25b8bad24a830c10164002254e26c667a7d3177db919d923738f
MD5 hash:
913e041e685d83af0072b97f929ab1d0
SHA1 hash:
45f5f2324bb28076338650998e7b3d43ac51d041
Link:
https://www.unpac.me/results/7cbbebc9-29c4-4440-a9c7-52d82041fdaf/
SH256 hash:
718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b
MD5 hash:
c3a5ba43f3c6b80f4ba41af853ba1eea
SHA1 hash:
29f3dd0b5dce262ab7cdf318df7523e508963541
Link:
https://www.unpac.me/results/7cbbebc9-29c4-4440-a9c7-52d82041fdaf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/718f9065e9aff74288e63d800e903057b889d54913c8ce27fc7859cf2643018b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/151389/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-05-06 08:10:54 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0023] Execution::Install Additional Program