MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371
SHA3-384 hash: e11593365d7902ad08b6a09af44d865cc3ea5bc86c6fdd81864f1d0f46113fbe0a7a3b069da832ba4d86bfd1c5c88603
SHA1 hash: ba0315e91c131f87c832f2210239a19e802f32b9
MD5 hash: b6df5864fc6fa87ba731b8986ae5a352
humanhash: edward-fifteen-august-earth
File name:osasuna.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'088'000 bytes
First seen:2020-08-31 05:38:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 73ae1eef07955a270fc7a7f873444c85 (16 x AgentTesla, 8 x MassLogger, 5 x Loki)
ssdeep 24576:0QvrCXEucruic247nrns/3ziYDuqk/E9xB5U:0IsTs7iObU
Threatray 11'002 similar samples on MalwareBazaar
TLSH 86359E62F2924437D1732A3C9C5B57B49C3ABE006D28784A7BF9DD8C4F3968178352A7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: "Mr.Rakesh Tate" <rakesh.account_department@gmail.com>
Reply-To: rakesh.account_department@gmail.com
Subject: PROFORMA INVOICE. ( Different Bank Details )
Attachment: New proforma Invoice Pdf.zip (contains "osasuna.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/53231/
Detection(s):
PUA.Win.Adware.Webalta-6854075-0
Create hunting rule

PUA.Win.Adware.Webalta-6862190-0
Create hunting rule

PUA.Win.Adware.Webalta-6879873-0
Create hunting rule

SecuriteInfo.com.Trojan.DownLoader34.29944.17906.10656.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Sending a UDP request
Reading critical registry keys
Launching the process to change network settings
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/454822
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371/
Threat name:
Win32.Trojan.DelfFareIt
Create hunting rule
Status:
Malicious
First seen:
2020-08-31 00:08:36 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ov7xcqo26jawt7zwstg7ajd3ptqlohdgvfyig6trcsngtnnw2nyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
121cba7566201217f8725044bc4e51283b873305c5e84b9e1623313cefa5fe4b
AgentTesla
4d27b24408ccaed59ba5977e7e7309fc42fc9964bc4e3d4cd3ac363f1b539454
AgentTesla
611656c80c7c9b32e24f770d70ba8488cd2b4079b35f7308fd4261d06480ec3f
AgentTesla
99fa917c6f97756ac7ced3ca06142728178550f72be70326ab30420fd4e9797e
AgentTesla
a13d0c1da0acc8ec21d9582a9b3fd02537618a644c6bad4e9df9d59988662563
AgentTesla
ad660d774f78137622d038976557c8782211dbfd39d2ff9a7a4bcc9279ba0f41
AgentTesla
d169af713aac6178816694e1006b2e9f6411687fb13ed0402792222d380624f1
AgentTesla
edea4daffcfebbb11f70cfa4fdcc38c85eeb8de82fe6be10e41efb520f7c7496
AgentTesla
f484f2e953d9571e035e86dd89c82755ce0684fddd30b3d41bac21ac65f0cff4
AgentTesla
f973277a035ffef0b6da3768b836cb041895b7db7d9af0e89dbd2af3a55b3dfe
AgentTesla
+ 10'992 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200831-jrl5rykymn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip db3b9bd7d52e0d20154b8e928b0864b84e938b2ca5984cb83b2e2f51b6eec06e

AgentTesla

Executable exe 757f7141daf24169ff3694cdf0247b7ce0b71c66a970837a71149a69b5b6d371

(this sample)

  
Dropped by
MD5 422921d591d28469a41687b7ba87d041
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/53231/
  
Dropped by
SHA256 db3b9bd7d52e0d20154b8e928b0864b84e938b2ca5984cb83b2e2f51b6eec06e

Comments