MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87257a8478febca687e205af4d5fe832c8de27f257c8201879e7556b61da9f92. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87257a8478febca687e205af4d5fe832c8de27f257c8201879e7556b61da9f92
SHA3-384 hash: cc40028420c6dc06a70a6fd862c8c0176065983b3087ecdae00e94b2206098efc8f452faa3637a03e8c781d068df232f
SHA1 hash: 28b103199721e43e6b7654588dda66512aa5cb7b
MD5 hash: d1a4fefe8b2d9a2b7634518154a4fb6c
humanhash: saturn-april-indigo-black
File name:Embroidery Report-August-8.zip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:704'000 bytes
First seen:2020-08-08 08:31:00 UTC
Last seen:2020-08-08 10:09:13 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:gnNaGOImU43R7S2jjquxby/gKygHegzL8zZ7grpiAVP7r9r/+ppppppppppppppZ:gnNabImXD+/RygHegz4zZMQAV1q
Threatray 63 similar samples on MalwareBazaar
TLSH A4E4AEC4D98C67A0DD98AB706A7EEC3152237DADA874A51C29CE3D373BFB3931025152
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: error-no-valid-domain.com
Sending IP: 103.99.1.143
From: sha-cs@fardar.com<sha-cs@fardar.com>
Subject: Re:Order Rcv Report (ORR) Week 31
Attachment: Embroidery Report-August-8.zip.zip (contains "Embroidery Report-August-8.zip.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
114
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42133/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader34.18893.15662.17735.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/415812
Signature
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses an obfuscated file name to hide its real file extension (double extension)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260161 Sample: Embroidery Report-August-8.... Startdate: 08/08/2020 Architecture: WINDOWS Score: 88 23 Yara detected AgentTesla 2->23 25 Yara detected AntiVM_3 2->25 27 Uses an obfuscated file name to hide its real file extension (double extension) 2->27 29 3 other signatures 2->29 7 Embroidery Report-August-8.zip.exe 3 2->7         started        process3 file4 21 C:\...mbroidery Report-August-8.zip.exe.log, ASCII 7->21 dropped 31 Writes to foreign memory regions 7->31 33 Allocates memory in foreign processes 7->33 35 Sample uses process hollowing technique 7->35 37 Injects a PE file into a foreign processes 7->37 11 RegSvcs.exe 2 7->11         started        13 backgroundTaskHost.exe 10 28 7->13         started        15 RegSvcs.exe 7->15         started        17 RegSvcs.exe 7->17         started        signatures5 process6 process7 19 dw20.exe 22 6 11->19         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87257a8478febca687e205af4d5fe832c8de27f257c8201879e7556b61da9f92/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-08 08:32:12 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=q4sxvbdy726knb7cawxu2x7iglen4j7sk7ecagdz45kwwyo2t6ja._file
Verdict:
unknown
Similar samples:
0901de39960b39d06ff200004196c1a13d534eb6eb25273c9ee630b29dec10cc
AgentTesla
33e7bd8b10bd937f73029fae45b86815c941099c3c923105d5ba5449f591619f
AgentTesla
591c4d26e3bbb4607b0c3387cc2353625a4a3e2af1e8747531a1fe4d15bbf8b3
AgentTesla
62eac77e0c2f8ca3a62f0ba2cd9989323b8a8d571ddd613048820f5cee6b1162
AgentTesla
8a8aca1544dabe98eb99d5c8871996ba1ec8509a1b811773a8c72fb1a1a83315
AgentTesla
b8857292907964728bf2613f9a49f29571ac621e1903f74bff08841efa93ab01
AgentTesla
d6fad316d9603cc8cf82b520043853ef4597124b2ffb86abf8b52b80e9f18a53
AgentTesla
d959c6dbba3a0e31b0917f5245b93b3c606fb4b3900a77fab714e9c118ad9ed9
AgentTesla
e673332bede0d99119dddfdf730d250a4a4eb4b84810fdf8bd8f27e6955c6412
AgentTesla
f5ca4644c1340cd373374d09ecd052c57c8c8abef50c4ae280876497d3f40a64
AgentTesla
+ 53 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200808-njgjy8v5vx/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.66
Link:
https://yomi.yoroi.company/submissions/87257a8478febca687e205af4d5fe832c8de27f257c8201879e7556b61da9f92

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip f06a22ee4dcff0923905e7eeec58a2fbcbf492a15dd629bfadbdcfcce2dfbfd6

AgentTesla

Executable exe 87257a8478febca687e205af4d5fe832c8de27f257c8201879e7556b61da9f92

(this sample)

  
Dropped by
MD5 ab609ac3c04653e36485411266f8c721
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/42133/
  
Dropped by
SHA256 f06a22ee4dcff0923905e7eeec58a2fbcbf492a15dd629bfadbdcfcce2dfbfd6

Comments