MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
SHA3-384 hash: b2ff2029e4248c30e33ff1b869d359d9865409b85c47373c4650d338af999d212dba36b39e0c627de20d6b1730b94488
SHA1 hash: 19841fd70438856b3c971274cb2ef368b955171b
MD5 hash: 68e94654216d6f7441ae3c07f4cf8059
humanhash: sink-oven-queen-papa
File name:sup.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:549'888 bytes
First seen:2020-12-08 16:44:51 UTC
Last seen:2020-12-08 18:51:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'648 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:IjeiZbrGHHd3swPhsGx0el1EuEt8Mw3B1FVdK05mT1:ZiZnGnd31hsonn3cKmT1
Threatray 1'750 similar samples on MalwareBazaar
TLSH 53C4F1311616AFAFD7790F7A96082204CEB4F42BBA22F79CBF8140D505E67984D61EF1
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway20.websitewelcome.com
Sending IP: 192.185.48.38
From: maurizio ricci <maurizio.ricci@studiomquintavalle.it>
Subject: Urgent Inquiry
Attachment: sup.rar (contains "sup.exe")

AgentTesla SMTP exfil server:
mail.virtualbridge-qatar.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
204
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
sup.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-08 16:58:20 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a5ac9b3-e34e-4cb3-a898-ef64fba8e990

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/107318/
Detection(s):
SecuriteInfo.com.Trojan.InjectNET.14.1770.8466.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/558233
Signature
Found malware configuration
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 16:45:31 UTC
AV detection:
19 of 48 (39.58%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ok3dqmwfo3pgj3hvz57pap4wldv5jfoj5swhz2nd4g57pppdrz2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f9f0bd1c94784a9426a81cd5cec73dd110cd63d96938127ad8cd4a25a7c678f
AgentTesla
39e625803cb04a4b13320ed7b5dbf8abae734a53a5cf6884ae29dd4e49b430f7
AgentTesla
5810e9d665fa5ed5d1fa801d54574d2f75805e745c3e29bad8bd95226cfe684c
AgentTesla
79b389a2c5008f4d1be19062d8b736a654600dc57566a8e24c66e818f65d3d36
AgentTesla
98fb18db59cb89a6d332a223c7b2d547bad41cf3b06ed2eaa75f6894049b5358
AgentTesla
a2faafe17f1c5486ce97238fa62db005afd9af7b53b1d15672c098db19129346
AgentTesla
cc8de0f68549d84a62dcd11df6625b2bfe08a6cfaea102f4710e28969a60f689
AgentTesla
d2bf967449913fb1af71ef3b38581eeb0ac7519e3a480657a78336dcfc615bf4
AgentTesla
e7ccbe9dfaa198263b85336d9f89a775f7601070708ce65b9e4612332e0207b8
AgentTesla
f1eee793a63b26c3b031faad22f15c106caeda0b91800efab5d3c10791806293
AgentTesla
+ 1'740 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201208-sw8jcds91s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75
MD5 hash:
68e94654216d6f7441ae3c07f4cf8059
SHA1 hash:
19841fd70438856b3c971274cb2ef368b955171b
Link:
https://www.unpac.me/results/a0c3e201-bbfb-4d81-9729-2830421bbe49/
SH256 hash:
c1fa7d00070a47bbfc9570a175c5275c3fffe5448d24a03e32b92165bd3ab027
MD5 hash:
74ed7c1eb2d30d34d4124338d91a258d
SHA1 hash:
31d9824ecd1899d5495f104016c850e250a56a76
Link:
https://www.unpac.me/results/a0c3e201-bbfb-4d81-9729-2830421bbe49/
SH256 hash:
c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94
MD5 hash:
a60401dc02ff4f3250a749965097e13f
SHA1 hash:
3f22d28fd765f831084cb972a8bd071e421c26a1
Link:
https://www.unpac.me/results/a0c3e201-bbfb-4d81-9729-2830421bbe49/
SH256 hash:
da69d16c39cbb127da217af0f7de665154d888c01f90f7e2bea614e4e59c1ee3
MD5 hash:
32855fce8ce89af994a8427d03fec430
SHA1 hash:
e4f48f23c29f7e4b030e3fbfee1acc12b4a732c6
Link:
https://www.unpac.me/results/a0c3e201-bbfb-4d81-9729-2830421bbe49/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:SUSP_Reversed_Base64_Encoded_EXE
Create hunting rule
Author:Florian Roth
Description:Detects an base64 encoded executable with reversed characters
Reference:Internal Research
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 98835b625efa34edb1b3d738ea5bd64e044eb3a5175a0766b1add57c0fe6bb05

AgentTesla

Executable exe 72b63832c576de64ecf5cf7ef03f9658ebd495c9ecac7ce9a3e1bbf7bde38e75

(this sample)

  
Dropped by
MD5 7b5e99d93dc12d168c22dc349dd5b7d3
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 98835b625efa34edb1b3d738ea5bd64e044eb3a5175a0766b1add57c0fe6bb05
Cape
Cape
https://www.capesandbox.com/analysis/107318/

Comments