MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8193d638399a6801bdb374053b0da2844ac5d64c4740c776707e99ffbb7d07a4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	8193d638399a6801bdb374053b0da2844ac5d64c4740c776707e99ffbb7d07a4
SHA3-384 hash:	ab866a24526ad740b2d4788dba80334f2c652e581b58e3e324466bd38601df6362d9f0f43c554034af69885ad97504da
SHA1 hash:	d75846ad7b477c8b7207bbee6197b90110843a73
MD5 hash:	12694c2a3adb2c2d9789640afb892908
humanhash:	early-kansas-oklahoma-august
File name:	swift-ref_inv00891.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	616'960 bytes
First seen:	2020-07-30 06:46:30 UTC
Last seen:	2020-07-31 13:40:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:xGDi7DD99uLmA85sbACZMjUq2wnIDGPZIHQs6z:8DyDD90LmAnACugq2wnIDGPZIw5
Threatray	30 similar samples on MalwareBazaar
TLSH	B1D4D06CF7A0D814CBBE0279E6EC4804CFFC91959923D35A298467AB1DF3765F5002BA
Reporter	jarumlus
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/35306/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.373.3308.25220.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/403192

Signature

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/8193d638399a6801bdb374053b0da2844ac5d64c4740c776707e99ffbb7d07a4/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-07-30 02:40:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qgj5mobztjuadpntoqctwdncqrfmlvsmi5amo5tqp2m77o35a6sa._file

Verdict:

suspicious

AgentTesla

180e4218ee6183934cbb4750a6394ab8faa8910ad2215df3334323f43e161758

AgentTesla

3d45c2d722943f528c0d86394c729d962a122f2fde067e69870220cdfb54cbe1

AgentTesla

62095cef3bfa5446283f4477cb8f855e12e3992686712f6d2ff07dfca0f9f364

AgentTesla

7c1c73ea7abca6e91c125085275f01c1964451c9444b5f76dfab7fd7a981dff2

AgentTesla

9ec8e30fe5bac7ee3e9c096fc3702286d6c0fbee3ae1fa4cd7d5a6a411b600e5

AgentTesla

a330dfb1074f6b02e49e5835f820821b0e75f691dac46057332381d172f640ea

AgentTesla

b770e145ef0e53fe2df0d45b04230e97dd214e209bfe9860dfa56988dd7d1796

AgentTesla

d04dfa9f36d64e850ec774b59542cf7e07167144fd6646c3cb3a99740ff75ce0

AgentTesla

d7df383ae33fe09cfbc44e49d9430d1e84a4cd2c8398441102cb53a4f6a4b694

AgentTesla

+ 20 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200730-3ht37cn666/

Behaviour

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/8193d638399a6801bdb374053b0da2844ac5d64c4740c776707e99ffbb7d07a4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar