MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 7b33b7ae792e3798138b97077985dc2d443977255a9320e4bfbd14d3eb46d147. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	7b33b7ae792e3798138b97077985dc2d443977255a9320e4bfbd14d3eb46d147
SHA3-384 hash:	397d713ceec43ee89cb4e7afbf639c89860cb9d2818070f57d180521617559d68ee0c3896ecefc64583152e2b5094b1a
SHA1 hash:	dd2c8d9b84f4e0ec8109f95f4cc7a61e1f8eeacb
MD5 hash:	59e99862e1433c6c506dc03cc775daf6
humanhash:	oven-angel-carpet-zebra
File name:	PO_003002939.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	564'224 bytes
First seen:	2020-07-28 15:45:25 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:xDuBxStSvtcl6PwkZQ5vex4CrgGek/swWmw1Nidded4SFP6n4gQw:xSPNvttPvZQ5vebrmgswo8ddy/4
Threatray	10'612 similar samples on MalwareBazaar
TLSH	F2C4E00421A86B1FD75B88B57427C0F02226D4A5EB61EE734E9FE0A719C26FE74C3527
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mieq.com
Sending IP: 193.142.59.89
From: wan.azwanie@mieq.com
Subject: Urgent Purchase Order (PO2001-00106)
Attachment: PO_003002939.img (contains "PO_003002939.exe")

AgentTesla SMTP exfil server:
smtp.yandex.ru:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/33873/

Detection(s):

SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a process with a hidden window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/400686

Signature

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/7b33b7ae792e3798138b97077985dc2d443977255a9320e4bfbd14d3eb46d147/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-07-28 15:47:07 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=pmz3pltzfy3zqe4ls4dxtbo4fvcds5zflkjsbzf7xuknh22g2fdq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1a5d841876ef1e6ad5a9ff4ff4f8d23687e2e80d62f1386fde805a8653110d98

AgentTesla

1d5c4bc37dad083e9b4f2361e6143c4c35ec666913488af8a75ceee52d48f805

AgentTesla

29428e98741ed026d977e77ca4a6af0c93dd970894d3b2d5cb25703d341a7664

AgentTesla

496b64b591fd2d02597c9f5a4e8570f6a169ae268de8ce463ee00c890a4ad112

AgentTesla

61f179ab9d877a4089f3a2e21db9d62537a9181fe6f58ba81a9eb2b0c45ac3a5

AgentTesla

634fe7f055e811f93c607b8e6f3333c2a5708236637c1accb3965284d82651bb

AgentTesla

6770ffec040c10ed6a13f0e654e9ac96763d3dd9c0c214ce658aa0648367216a

AgentTesla

af1c7c8b7ec14a80bcc5799f562caa774702607c610349a413e363ab0d0d6168

AgentTesla

ccce18331cd7c4dfcf2d6d441c9fce934d455d0c4009f8321ca54f8356ccd1b1

AgentTesla

+ 10'602 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200728-9gzvsx1eta/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetThreadContext

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads data files stored by FTP clients

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/7b33b7ae792e3798138b97077985dc2d443977255a9320e4bfbd14d3eb46d147

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar