MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85e4cc92a86a9824dfcf30f84f6ffb9314f3322cce17026171c422b98c200a71. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 85e4cc92a86a9824dfcf30f84f6ffb9314f3322cce17026171c422b98c200a71
SHA3-384 hash: f55d0d5f26e590660f8d26a324d9030fc48e93dc7fb71d16190d1fd88bb52bd81b14bf0de66852278e0929e1cb8f330b
SHA1 hash: 204259d7b095a2998bcc9254cbce54d79a5b4b67
MD5 hash: 68fb7c40704c219963c20749c787ae49
humanhash: failed-mockingbird-fifteen-wolfram
File name:CHEMEX DUBAI.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'317'376 bytes
First seen:2020-12-21 12:03:13 UTC
Last seen:2020-12-21 14:12:01 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:/qi9XY18Ccr/lfGVPu+Ha7lIPppoSyY6EBc1NcAAzwj:/qGDr/VQu+H+lIPppoPFE61NcAr
Threatray 1'927 similar samples on MalwareBazaar
TLSH D555BF3469E95218FC776F765AE0785197EFFE237732D41D2C94228A0733E81CC6262A
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
154
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
CHEMEX DUBAI.exe
Verdict:
Suspicious activity
Analysis date:
2020-12-21 12:17:37 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/34954223-a637-415b-9c5e-36a082a74ab1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.482.19044.1751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567359
Signature
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332761 Sample: CHEMEX DUBAI.exe Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Found malware configuration 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 8 other signatures 2->55 6 CHEMEX DUBAI.exe 3 2->6         started        9 dsaqmnf.exe 2 2->9         started        11 dsaqmnf.exe 3 2->11         started        process3 file4 23 C:\Users\user\...\CHEMEX DUBAI.exe.log, ASCII 6->23 dropped 14 CHEMEX DUBAI.exe 2 5 6->14         started        19 dsaqmnf.exe 2 9->19         started        57 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->57 59 Machine Learning detection for dropped file 11->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->61 21 dsaqmnf.exe 2 11->21         started        signatures5 process6 dnsIp7 29 smtp.kaypan.com 14->29 31 us2.smtp.mailhostbox.com 208.91.198.143, 49745, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->31 25 C:\Users\user\AppData\Roaming\...\dsaqmnf.exe, PE32 14->25 dropped 27 C:\Users\user\...\dsaqmnf.exe:Zone.Identifier, ASCII 14->27 dropped 37 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->37 39 Tries to steal Mail credentials (via file access) 14->39 41 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->41 33 208.91.199.223, 49746, 587 PUBLIC-DOMAIN-REGISTRYUS United States 19->33 35 smtp.kaypan.com 19->35 43 Tries to harvest and steal ftp login credentials 19->43 45 Tries to harvest and steal browser information (history, passwords, etc) 19->45 47 Installs a global keyboard hook 19->47 file8 signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/85e4cc92a86a9824dfcf30f84f6ffb9314f3322cce17026171c422b98c200a71/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 11:31:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
23
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qxsmzevinkmcjx6pgd4e6373smkpgmrmzylqeylryqrltdbabjyq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18d3a183977a47e81f60e8ec7dfe404116b0f0f9a515696752710d6f5c005866
AgentTesla
342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda
AgentTesla
3aaaf20441f4c63cae5963d1a4244c443a32d517b95be1a26d8c77f2debca232
AgentTesla
6abf5552765851e4db6d8346af1473568c7d1497fd848648e32bd1c5c8d8cb2f
AgentTesla
70bba7ae7db7a571dde9f6e9adad50a1b4fb32b8757f5d6cebb3d73b833644f6
AgentTesla
a67263bb6f4ffdb09b65b1f49c3467cc7ff81c9928a96c4a024b5832ffbbd1ac
AgentTesla
f37614ecb7916b27340fd6270d6917b8778c0b92b8edf0ff9e4aa65f3883f626
AgentTesla
f5e0c3bfd23d86f0cdef681b4922c59e77fb094bacd29add988ff6c9a30d850b
AgentTesla
f8b957b53da50425dfd655553ad255dd26e307971d477edd441ae2c2248ff121
AgentTesla
fad59266b34827f994eba36a030a5abd4c552c3132801afec5fe74c787e10044
AgentTesla
+ 1'917 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201221-yfvvalqbes/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
85e4cc92a86a9824dfcf30f84f6ffb9314f3322cce17026171c422b98c200a71
MD5 hash:
68fb7c40704c219963c20749c787ae49
SHA1 hash:
204259d7b095a2998bcc9254cbce54d79a5b4b67
Link:
https://www.unpac.me/results/9aebf291-9ca4-4373-9d29-1c35d96b54bc/
SH256 hash:
cf29b19edd2914c4b8e4f2bce25dd0ad85d2a26dc4be8be2c4c3eb1e5c4f4da8
MD5 hash:
ca8ed78e7d3af602d4a8a22bb1d30d8e
SHA1 hash:
07ed64d248d5cd0bba971eb0ca7d8c0acacbadaa
Link:
https://www.unpac.me/results/9aebf291-9ca4-4373-9d29-1c35d96b54bc/
SH256 hash:
55abf08a6a6ab7c7848a2bc0410d84befe6dcfa118336e2e4f1ee456a8009efc
MD5 hash:
6ce9761c3c3ae715d40a77b982d31dc9
SHA1 hash:
42a5a02eabe7d80d79408549e7686d4e44524361
Link:
https://www.unpac.me/results/9aebf291-9ca4-4373-9d29-1c35d96b54bc/
SH256 hash:
04575cc061bcf3b2e83263df221d7ea5621b026b0f7c5842bdd3058dba6186b6
MD5 hash:
996bb88816d0d480f997ced198faf2d9
SHA1 hash:
9d93dc8a4f3501bba9abc75058ee3dce1dff8b12
Link:
https://www.unpac.me/results/9aebf291-9ca4-4373-9d29-1c35d96b54bc/
SH256 hash:
b5338c786f93dc8d0b6a4158d44dcfb12881112a2535f02554a8b093e255f0cf
MD5 hash:
13bacd4ca2ff29ff8ce6a2cb83c129a1
SHA1 hash:
e334f0ff6fbb64d4f172e8d313179435ed96c8e4
Link:
https://www.unpac.me/results/9aebf291-9ca4-4373-9d29-1c35d96b54bc/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/85e4cc92a86a9824dfcf30f84f6ffb9314f3322cce17026171c422b98c200a71

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz a75a7d739e33ada5ac49bd29f1824ff608b0e368b75ca31537049546146a66c2

AgentTesla

Executable exe 85e4cc92a86a9824dfcf30f84f6ffb9314f3322cce17026171c422b98c200a71

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 a75a7d739e33ada5ac49bd29f1824ff608b0e368b75ca31537049546146a66c2

Comments