MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 834d1c44beb1b8c469300ca6378aa0b1283775867babb3d92fd0dae15ddd9dc7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	834d1c44beb1b8c469300ca6378aa0b1283775867babb3d92fd0dae15ddd9dc7
SHA3-384 hash:	34a8daee731e9822415321568358261542bb37f065bc022f89bc22e256b8f246ade60de8215181854531637c4b36deae
SHA1 hash:	7f3cf21876e425ac04644eef20742806f1b10550
MD5 hash:	636ac594f9262fa768e5de5605463761
humanhash:	uncle-hotel-green-california
File name:	ENQ Q10767 BIODINA GL115 Cabinet Grupo OncoclÃnicas,doc.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	795'648 bytes
First seen:	2020-08-13 10:31:21 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:rS1zkkNtheQOqLN+7i1G8i7l/KLOaurdzTwvBfmo:OGQ32L8i1R1V
Threatray	10'619 similar samples on MalwareBazaar
TLSH	2205292D7B85B818D53D053180FA5AC27771A64B3F51CB0F66CB639C6F03A9B3E4A189
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: pier.snetdns.com
Sending IP: 89.252.191.14
From: Arda Akarsular - Turmersan Savunma <arda@turmersan.com>
Subject: ENQ: Q#10767 BIODINA/ GL115 Cabinet - Grupo Oncoclínicas
Attachment: ENQ Q10767 BIODINA GL115 Cabinet Grupo Oncoclnicas,doc.rar (contains "ENQ Q10767 BIODINA GL115 Cabinet Grupo OncoclÃnicas,doc.exe")

AgentTesla C2:
https://cherryblossom.fashion/pan3/webpanel/inc/25111339f0fbd3.php

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/45088/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Creating a window

Creating a file in the %temp% subdirectories

Sending a UDP request

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/425848

Signature

Allocates memory in foreign processes

Contains functionality to register a low level keyboard hook

Injects a PE file into a foreign processes

Installs a global keyboard hook

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/834d1c44beb1b8c469300ca6378aa0b1283775867babb3d92fd0dae15ddd9dc7/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-13 10:33:05 UTC

AV detection:

21 of 28 (75.00%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qngryrf6wg4mi2jqbstdpcvaweudo5mgpov3hwjp2dnocxo5txdq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2c8c5c5e5990da4a2af218cfece6afda3f4830be6605b9767adbfbde2e5cd276

AgentTesla

354edf67a7ef4bce7dc3b2c20641a5a84407d26b880b21296150aa141dc3089d

AgentTesla

630667a466b8fa4783cd9921551834f41a9e3a40712cda832dc2faf61503c00f

AgentTesla

69842a6dc654dfc2d3a69b566e90679318cbac7209d4286df9af58b8e173ab90

AgentTesla

6f8b5cad56d107434291b260c5483479d0ac1d02498d5bfad7468a02dc7fc19d

AgentTesla

8d022dab121f77e8bc72f928612aa7d06f08f9e0726f509f28a4874f7b4cfe50

AgentTesla

b0c083472dee81acc9ce7dc31bd93bd358d15387dc797aef9ce4ff1f6dd8689c

AgentTesla

d5231355835fc25fb6f9923639331084ff0ae602929793c263e01eda38d2fa1b

AgentTesla

fbe07dca7476dba15e9dd639c2b5a71c6bbdf21b0f50ee1fde6aa5bc13e19243

AgentTesla

+ 10'609 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200813-vvgrz4f7he/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/834d1c44beb1b8c469300ca6378aa0b1283775867babb3d92fd0dae15ddd9dc7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar