MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7a960f3325dc0cea2f5b8e6567070ace6c848cba6b5851a97d4b066612964ee1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 7a960f3325dc0cea2f5b8e6567070ace6c848cba6b5851a97d4b066612964ee1
SHA3-384 hash: 76fb2034f8d8e77d586ca6edfbbea3998558692ef06d7f22cbe9731063629b674e8a8390a7c8b4b1cc228fdd55700211
SHA1 hash: 86aeb8312c1efe8b156ffe66debd2607b935bece
MD5 hash: 757aff7f0a66abbe01efefbb8b3396ae
humanhash: south-eight-beryllium-louisiana
File name:PAYMENT_DETAILS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'217'024 bytes
First seen:2020-09-14 05:35:24 UTC
Last seen:2020-09-14 06:52:27 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:S2Z32EsDDjJgz8gfqnpmMpUeaSy8qQUrJK+YnNBBCjAJwz7H:S2p2EsHuz84qntNaSyEUrJK+XAJU7H
Threatray 9'229 similar samples on MalwareBazaar
TLSH 33450101258D8B67D3B94BF9443BB42003BEAD82FED6D1A89D49B4EE543DF5D9210F22
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/58940/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.63280.23420.15626.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/464998
Signature
.NET source code contains potential unpacker
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 284908 Sample: PAYMENT_DETAILS.exe Startdate: 14/09/2020 Architecture: WINDOWS Score: 100 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Found malware configuration 2->58 60 Multi AV Scanner detection for dropped file 2->60 62 10 other signatures 2->62 7 PAYMENT_DETAILS.exe 6 2->7         started        11 WCPCe.exe 2 2->11         started        13 WCPCe.exe 1 2->13         started        process3 file4 34 C:\Users\user\AppData\Roaming\rIhVsG.exe, PE32 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpD78B.tmp, XML 7->36 dropped 38 C:\Users\user\...\PAYMENT_DETAILS.exe.log, ASCII 7->38 dropped 64 Writes to foreign memory regions 7->64 66 Injects a PE file into a foreign processes 7->66 15 RegSvcs.exe 2 4 7->15         started        20 RegSvcs.exe 7->20         started        22 schtasks.exe 1 7->22         started        24 conhost.exe 11->24         started        26 conhost.exe 13->26         started        signatures5 process6 dnsIp7 40 prcpl.com 173.254.75.123, 49713, 587 UNIFIEDLAYER-AS-1US United States 15->40 42 mail.prcpl.com 15->42 30 C:\Users\user\AppData\Roaming\...\WCPCe.exe, PE32 15->30 dropped 32 C:\Windows\System32\drivers\etc\hosts, ASCII 15->32 dropped 44 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->44 46 Tries to steal Mail credentials (via file access) 15->46 48 Tries to harvest and steal ftp login credentials 15->48 54 3 other signatures 15->54 50 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->50 52 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->52 28 conhost.exe 22->28         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/7a960f3325dc0cea2f5b8e6567070ace6c848cba6b5851a97d4b066612964ee1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-14 01:21:16 UTC
File Type:
PE (.Net Exe)
Extracted files:
36
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=pkla6mzf3qgoul23rzswobykzzwijdf2nnmfdkl5jmdgmeuwj3qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3b4fb17419bd0e04f1ccd704484fd4f26f1a583871924641a52d4f9440301947
AgentTesla
516b29be6f0d91a249adca2b26381bfa5b90cf6a643d1b621095c6425a74795b
AgentTesla
68b6aee99f9d4bf184c77beacb3b8a418f84a7efa606e5bd7f4fd57edb904054
AgentTesla
bbb1cd2d138cd5331c4a1ef19a81688c45704fe3e96dbda7b7ffd8317b70fd84
AgentTesla
bf6685f531efdf06db86ed0e735fcbe612858213677111ad900a02164cd77efd
AgentTesla
d17de71fad23c19ea4e181c8fe33be0fc230d15be13e6d3c755c77e7ff1519d5
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
dfe001ed1950d612ea59a75c6367629ff0e031853e9f7a12b7f0381a4f20660f
AgentTesla
e3e667f5f3f179990bcb4616c8e5d56eeb8399bd867799c4bc68fac82c9b0a0f
AgentTesla
ee923a4dd9e77a796c589b01ed52bfd3d5b72502e8307c9c362a2d9f6379d197
AgentTesla
+ 9'219 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Link:
https://tria.ge/reports/200914-cbk4ytxcyj/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/7a960f3325dc0cea2f5b8e6567070ace6c848cba6b5851a97d4b066612964ee1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 995adaa1d9bb412e1477795b1232170f79beeeeb705f8dbc802f76cb93a3923e

AgentTesla

Executable exe 7a960f3325dc0cea2f5b8e6567070ace6c848cba6b5851a97d4b066612964ee1

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 995adaa1d9bb412e1477795b1232170f79beeeeb705f8dbc802f76cb93a3923e
Cape
Cape
https://www.capesandbox.com/analysis/58940/

Comments