MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678
SHA3-384 hash: 7b5624f77657670d0cf98378070ad1299270e92e1da0a1b86fde6913fc88324e16c1f05b33933a70dd3ba2bcd1ea877d
SHA1 hash: b8270d17524c95695f5648fedb2021b77a4a2d5c
MD5 hash: 2a5fa219256b94a25aa7adbb05e00a2b
humanhash: crazy-september-nitrogen-sixteen
File name:TT Swift copy.,.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'757'696 bytes
First seen:2020-09-28 13:50:53 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:qcyrKmW/P82MU/I6kbmzFab95Xs876oK3:QXW/zI6smRabrxY
Threatray 10'290 similar samples on MalwareBazaar
TLSH 4F85CF2131A8FA5AE0A80FB41261F172C6745E6A9997C140BFB332FE96F17C43D54B27
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66436/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42595.17741.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476457
Signature
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290687 Sample: TT Swift copy.,.exe Startdate: 28/09/2020 Architecture: WINDOWS Score: 100 49 Antivirus detection for dropped file 2->49 51 Antivirus / Scanner detection for submitted sample 2->51 53 Multi AV Scanner detection for dropped file 2->53 55 8 other signatures 2->55 7 TT Swift copy.,.exe 6 2->7         started        11 BAVLA.exe 2 2->11         started        13 BAVLA.exe 1 2->13         started        process3 file4 31 C:\Users\user\AppData\...\rPezKPVGXtS.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\Local\...\tmp264D.tmp, XML 7->33 dropped 35 C:\Users\user\...\TT Swift copy.,.exe.log, ASCII 7->35 dropped 57 Writes to foreign memory regions 7->57 59 Injects a PE file into a foreign processes 7->59 15 RegSvcs.exe 2 4 7->15         started        19 RegSvcs.exe 7->19         started        21 schtasks.exe 1 7->21         started        27 3 other processes 7->27 23 conhost.exe 11->23         started        25 conhost.exe 13->25         started        signatures5 process6 file7 37 C:\Users\user\AppData\Roaming\...\BAVLA.exe, PE32 15->37 dropped 39 Tries to steal Mail credentials (via file access) 15->39 41 Tries to harvest and steal browser information (history, passwords, etc) 15->41 43 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->43 45 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->45 47 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->47 29 conhost.exe 21->29         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 10:30:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
32
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ozlcer27nw76kzfczbfqkcyzsovac2h3fsru2z7ey75wigzqez4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16dcfdc5058dc23b3bca6986d18dd6119ddb0d13b982dd5b7a83b957e3c5da7d
AgentTesla
18a2826ae0c8ce3e76a5cb806e89d0070f70cc372cf37468721b8caf8529f401
AgentTesla
3333a191bc36b4a7a76e51c0b7b83c5d2b7d253f074789c2302ec598c30711b3
AgentTesla
529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
AgentTesla
778999d611a2a22f82d48b71e94588b86336376e30b07cb1c3f2230959cc10ab
AgentTesla
9405885336e177508e9e2790e23bb7e8f11a070e3c7262bf70f4da6beb598c75
AgentTesla
aaeb8dbb55dfc7eae9879ef959b1321b70c90784ed1c434cd4fd4583e92cf163
AgentTesla
b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
AgentTesla
dc17f58054bc14cd28845998cad76324467d4a028a063dbd3846b2de0df5c89c
AgentTesla
dd48b3a67ab61431928bff75ec0dd6a64bae646306b68109ef6e02afbf2e4d46
AgentTesla
+ 10'280 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200928-v6f5l5xpe6/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678
MD5 hash:
2a5fa219256b94a25aa7adbb05e00a2b
SHA1 hash:
b8270d17524c95695f5648fedb2021b77a4a2d5c
Link:
https://www.unpac.me/results/e2743636-86e2-4303-8900-037eef3bdcc3/
SH256 hash:
ed59b3fc26de2b31e908f025c23d01eb8ed9834b2bdd740745e1dc0737e443b9
MD5 hash:
d67f7450a64932b410ed9cb2e02b52cc
SHA1 hash:
a4d7f12bd7f03b55b5c05ee1794e566b8521baaa
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/e2743636-86e2-4303-8900-037eef3bdcc3/
Parent samples :
765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678
1dbc1c2ea41a79c3046b9f0796248ba48db207c93fb7c1521e81763671298144
6d73b61228e78c8e44db200696182dd1287981e0b433ad534fec23ae19eff146
532051adf5893bf586b56210af5c7f3c4e8f72cfecf8ef52687f34e1fea17ab3
da505ce244393d643b3e6aec90db41401a9685c56bec2e5eb0c5117b33e66eb1
57b7d138364e73bd3a7569d66edde728f9827be45f04d78b3213f7027083d985
SH256 hash:
a49ef5e366e7b4812f00cf30a49c2481278af08a9f4076e6c7515e64f60cc9cf
MD5 hash:
c8d6241f5db2f3380ca13e7a51cee2f2
SHA1 hash:
d60e7c8512504cf4a49e6f66c3cc740320496013
Link:
https://www.unpac.me/results/e2743636-86e2-4303-8900-037eef3bdcc3/
SH256 hash:
729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f
MD5 hash:
ac3f427e66b28b013b0b651c2f71d1e9
SHA1 hash:
ddf8b4b1d36aced75740632b41d30add06b5db3d
Link:
https://www.unpac.me/results/e2743636-86e2-4303-8900-037eef3bdcc3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/765622475f6dbfe564a2c84b050b1993aa0168fb2ca34d67e4c7fb641b302678

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/66436/

Comments