MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2
SHA3-384 hash: 3f6c4d0453852e85be907abba0f481bb4b17baf914cbd65a4456260ba14475c91126ffb691aa8d2c3c865e663b2b3325
SHA1 hash: 3cf864a49fbb27d90922f0ded0f1e0024dbc8923
MD5 hash: e0bb75f8b0ccc21d2431eeeb78b31c9b
humanhash: connecticut-sink-five-salami
File name:Credit Advice_9951750.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:864'256 bytes
First seen:2020-12-27 07:43:57 UTC
Last seen:2020-12-27 09:36:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:8F4e3OW97KjYvDfqvabc8lJCWFDuAsWl+TySkOHx/jikOUVCPnypgV8UkVsQs:6r98YvDfAa9l3FaDWXWHxWHKg7kVJ
Threatray 2'033 similar samples on MalwareBazaar
TLSH 0405129136F89712D2BF4BB8D864040047B6F69A69A3F71D5DC164CA2BA27430F93F27
Reporter abuse_ch
Tags:AgentTesla bat


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ns1.webrikahost.com
Sending IP: 77.223.134.12
From: CBD-e-RemmitanceAdvice@cbd.ae <bunyamin@cimentabela.com>
Subject: Delivery Notification
Attachment: Credit Advice_9951750.7z (contains "Credit Advice_9951750.bat")

Intelligence

File Origin
# of uploads :
2
# of downloads :
322
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Credit Advice_9951750.bat
Verdict:
Malicious activity
Analysis date:
2020-12-27 07:49:04 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ed8a76c9-bfce-4773-ae3a-137b7b5bd50c

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/109558/
Detection(s):
SecuriteInfo.com.ArtemisE0BB75F8B0CC.23043.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/570338
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-12-27 07:44:16 UTC
AV detection:
17 of 29 (58.62%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=otmtkomlqp5x4456666ycj5eiin37y5ud3xj3wiuwvdbglhhilba._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0063947555fada876477c4e186d19517a3894d56153477590b0d6367ec80fe2d
AgentTesla
25f49f7e6a95a52bd15fb0ab81e5d53b5753d813a14edac8eccaa5bbba4cf57b
AgentTesla
282b444948b90498fd3153e63e35c2831287d10543dc93fc28c3af1b289e125a
AgentTesla
3431190b4acce9544602d5d6ef411b64f0f0ebcd7628cec487e5a39347720d7a
AgentTesla
4a02298fbd57972ec5702a4969b5f8320beb3de08846d083afda00385dc9d48d
AgentTesla
52d514639923395c838d6f682c4be02ce3ba7ff3c5de613824e51ce0280a74cb
AgentTesla
6f175e5ca3aed259ec1288d9dbd2510bff46dd383f95c07d9495570699934445
AgentTesla
dff521eb1bc7abe5eb779280c5d17c95310be7352ce5927c2173bf1d91a6ca97
AgentTesla
ecf592d2aed1d17b4c75e72a40edeb9b4396c8c9181cee7519ebe63bb7391870
AgentTesla
fb1c77156c32d3643f2b21550110a48c3bbf869d2f0aa099b7400646e1fcaeb5
AgentTesla
+ 2'023 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201227-3wsescfvrj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2
MD5 hash:
e0bb75f8b0ccc21d2431eeeb78b31c9b
SHA1 hash:
3cf864a49fbb27d90922f0ded0f1e0024dbc8923
Link:
https://www.unpac.me/results/bd841d75-0306-4c24-a911-0e177366252c/
SH256 hash:
ebdbdb7961668b3dccb621cb66471f7496283d563565cef2e9a7602d7cce0028
MD5 hash:
240a42fe14ad329161632de4adb204f6
SHA1 hash:
69756521887b3900ff59df760cfd5294886b2618
Link:
https://www.unpac.me/results/bd841d75-0306-4c24-a911-0e177366252c/
SH256 hash:
f4913d3d5ab7f26821a7edd5b3a6ea086f687da2ddc4f90b337b2815a3e74a8a
MD5 hash:
1757687d5e539ef1237eaadaa4ff397b
SHA1 hash:
ce79c3174bc4bf30c7df740e7a436d7daa82f7ad
Link:
https://www.unpac.me/results/bd841d75-0306-4c24-a911-0e177366252c/
SH256 hash:
e83cef9cfa4e2ea30e28843e43c60ebf8f6590fb753ad0aa5ed1123c01280527
MD5 hash:
bf99ee5fbf42797bd1ade95b109d634c
SHA1 hash:
e02abfdbca94a24a36b47d49a28360b79aabd294
Link:
https://www.unpac.me/results/bd841d75-0306-4c24-a911-0e177366252c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z e2712faa636e7d93357a128702319889f337c129923a03a3db7cf8f8f6567f96

AgentTesla

Executable exe 74d935398b83fb7e73bef7bd8127a4421bbfe3b41eee9dd914b546132ce742c2

(this sample)

  
Dropped by
MD5 c349be380e9d019d772186f28153f039
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 e2712faa636e7d93357a128702319889f337c129923a03a3db7cf8f8f6567f96
Cape
Cape
https://www.capesandbox.com/analysis/109558/

Comments