MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6
SHA3-384 hash: 79e284e395ad701628d6ef370ee55104a9e12f7616cd3381cdd2327f1a6f8dc126780248a830b8eab6f4596d2d7ae1fe
SHA1 hash: f0a465eb8e11c7ab96e5ffa9fb11faa581510afd
MD5 hash: acd7f0509015e16b562a5f853c80e7ee
humanhash: winner-vermont-batman-sierra
File name:Faktuur 893454-Tools Repair Service Co..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'257'338 bytes
First seen:2021-03-18 06:23:21 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 98f67c550a7da65513e63ffd998f6b2e (60 x Worm.Mofksys, 21 x SnakeKeylogger, 13 x MassLogger)
ssdeep 24576:K5xolYQY6MUx9b7RasY6cDEBFlbuxp3sjaKg6k4U2Vou:dY09E6/3bub8vxU2Vou
TLSH A045F227A724622AD52592F04851A22267704D312BD2EE7B6BC07F8D34B9743F6F127F
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
147
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Faktuur 893454-Tools Repair Service Co..exe
Verdict:
Malicious activity
Analysis date:
2021-03-18 06:26:40 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/de90ce06-ba7f-43a8-8d8c-f3ab6d8e9e68

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/125374/
Detection(s):
PUA.Win.Packer.ProtectSharewar-2
Create hunting rule

PUA.Win.Packer.ProtectSharewar-3
Create hunting rule

Win.Trojan.VBGeneric-6735885-0
Create hunting rule

Win.Virus.Sality-6747602-0
Create hunting rule

Win.Malware.Swisyn-7610494-0
Create hunting rule

Win.Virus.Sality-6335700-2
Create hunting rule

Win.Trojan.Kazy-304
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file
Creating a process from a recently created file
Sending a UDP request
Creating a process with a hidden window
Creating a file in the Windows subdirectories
Enabling the 'hidden' option for recently created files
Setting a keyboard event handler
Setting a global event handler
Creating a file in the %AppData% directory
Unauthorized injection to a recently created process
Setting a single autorun event
Launching the process to create tasks for the scheduler
Enabling autorun
Enabling a "Do not show hidden files" option
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/644022
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with benign system names
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file has a writeable .text section
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Svchost Process
Sigma detected: System File Execution Location Anomaly
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 370974 Sample: Faktuur 893454-Tools Repair... Startdate: 18/03/2021 Architecture: WINDOWS Score: 100 88 smtp.ionos.com 2->88 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Found malware configuration 2->102 104 Antivirus detection for dropped file 2->104 106 16 other signatures 2->106 12 Faktuur 893454-Tools Repair Service Co..exe 1 4 2->12         started        16 explorer.exe 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 dnsIp5 80 faktuur 893454-too...air service co..exe, PE32 12->80 dropped 82 C:\Users\user\AppData\Local\icsys.icn.exe, PE32 12->82 dropped 134 Installs a global keyboard hook 12->134 21 icsys.icn.exe 3 12->21         started        25 faktuur 893454-tools repair service co..exe 7 12->25         started        90 127.0.0.1 unknown unknown 18->90 file6 signatures7 process8 file9 70 C:\Windows\System\explorer.exe, PE32 21->70 dropped 116 Antivirus detection for dropped file 21->116 118 Machine Learning detection for dropped file 21->118 120 Drops executables to the windows directory (C:\Windows) and starts them 21->120 124 2 other signatures 21->124 27 explorer.exe 3 17 21->27         started        72 C:\Users\user\AppData\Roaming\JxQIuHm.exe, PE32 25->72 dropped 74 C:\Users\user\...\JxQIuHm.exe:Zone.Identifier, ASCII 25->74 dropped 76 C:\Users\user\AppData\Local\...\tmp286C.tmp, XML 25->76 dropped 122 Injects a PE file into a foreign processes 25->122 32 faktuur 893454-tools repair service co..exe 25->32         started        34 schtasks.exe 1 25->34         started        signatures10 process11 dnsIp12 94 vccmd03.googlecode.com 27->94 96 vccmd02.googlecode.com 27->96 98 4 other IPs or domains 27->98 84 C:\Windows\System\spoolsv.exe, PE32 27->84 dropped 86 C:\Users\user\AppData\Roaming\mrsys.exe, PE32 27->86 dropped 136 Antivirus detection for dropped file 27->136 138 System process connects to network (likely due to code injection or exploit) 27->138 140 Creates an undocumented autostart registry key 27->140 150 3 other signatures 27->150 36 spoolsv.exe 2 27->36         started        142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 32->142 144 Tries to steal Mail credentials (via file access) 32->144 146 Tries to harvest and steal ftp login credentials 32->146 148 Tries to harvest and steal browser information (history, passwords, etc) 32->148 40 conhost.exe 34->40         started        file13 signatures14 process15 file16 68 C:\Windows\System\svchost.exe, PE32 36->68 dropped 108 Antivirus detection for dropped file 36->108 110 Machine Learning detection for dropped file 36->110 112 Drops executables to the windows directory (C:\Windows) and starts them 36->112 114 2 other signatures 36->114 42 svchost.exe 3 3 36->42         started        signatures17 process18 dnsIp19 92 192.168.2.1 unknown unknown 42->92 78 C:\Users\user\AppData\Local\stsys.exe, PE32 42->78 dropped 126 Antivirus detection for dropped file 42->126 128 Machine Learning detection for dropped file 42->128 130 Drops executables to the windows directory (C:\Windows) and starts them 42->130 132 Installs a global keyboard hook 42->132 47 spoolsv.exe 42->47         started        50 at.exe 42->50         started        52 at.exe 42->52         started        54 12 other processes 42->54 file20 signatures21 process22 signatures23 152 Installs a global keyboard hook 47->152 56 conhost.exe 50->56         started        58 conhost.exe 52->58         started        60 conhost.exe 54->60         started        62 conhost.exe 54->62         started        64 conhost.exe 54->64         started        66 9 other processes 54->66 process24
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6/
Threat name:
Win32.Trojan.Swisyn
Create hunting rule
Status:
Malicious
First seen:
2021-03-17 20:44:24 UTC
File Type:
PE (Exe)
Extracted files:
28
AV detection:
46 of 47 (97.87%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qy7ht3x357fap4vq75litvscdky6ym2ldfdg4btmorfivwcjllla._file
Verdict:
malicious
Label(s):
avemaria
Create hunting rule
Result
Malware family:
xmrig
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla family:xmrig evasion keylogger miner persistence spyware stealer trojan
Link:
https://tria.ge/reports/210318-ezrpyf91wx/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Modifies Installed Components in the registry
AgentTesla Payload
AgentTesla
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
xmrig
Unpacked files
SH256 hash:
ca6f557239888974f3877c4d72ce4a132418a15a8655984a0ea43d7fdb9a6eb1
MD5 hash:
40005caf683c046854ef5d72abb69dd4
SHA1 hash:
e29aeeb78cf0abf26598f36514837c19979b5bb6
Link:
https://www.unpac.me/results/b6803301-8044-4297-b244-ecdf2b4ccb09/
SH256 hash:
4c27944b45e2e7e29f97635533448c0363c6cd90cda842594d492502ead371d6
MD5 hash:
9c72dd98af436ba9d6642254cd9af557
SHA1 hash:
85c8bf88fcd00b98f42cb96ddb2333fb8ee12266
Link:
https://www.unpac.me/results/b6803301-8044-4297-b244-ecdf2b4ccb09/
SH256 hash:
2b43013edb5706a946f4e523a1a219b31fe2a7e05c48884c048882b3c1327655
MD5 hash:
b7159eb14fe565d4e233604b629bbd8a
SHA1 hash:
64f82c67e6c7cbc078141162a49bffcee3d9ebb9
Link:
https://www.unpac.me/results/b6803301-8044-4297-b244-ecdf2b4ccb09/
SH256 hash:
863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6
MD5 hash:
acd7f0509015e16b562a5f853c80e7ee
SHA1 hash:
f0a465eb8e11c7ab96e5ffa9fb11faa581510afd
Link:
https://www.unpac.me/results/b6803301-8044-4297-b244-ecdf2b4ccb09/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 69650720ac01252d16535518d52b2128ee46856d4e2fea37193227ff44d3274b

AgentTesla

Executable exe 863e79eefbefca07f2b0ff5689d6421ab1ec334b19466e066c744a8ad8495ad6

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 69650720ac01252d16535518d52b2128ee46856d4e2fea37193227ff44d3274b
Cape
Cape
https://www.capesandbox.com/analysis/125374/

Comments