MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 87f32b29a629a3bf5d0ec129f3daf65ce665c816353b41492ef0ca56fd165ce1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 87f32b29a629a3bf5d0ec129f3daf65ce665c816353b41492ef0ca56fd165ce1
SHA3-384 hash: 0f9b4af0aa15c9bad8f1cd55c87b2bfda92d5415bc0bf0d8057d1c160b02bef216a7c7c80b3cacfee95e542f555d2737
SHA1 hash: 9eaf6860201938fc7027b22b11a8667d2b45c979
MD5 hash: 18ba144683247098a9ff944273e3d293
humanhash: uncle-east-hawaii-berlin
File name:Payment slip.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:668'160 bytes
First seen:2021-01-21 12:04:07 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:q28+b87beU8pnwdMfccZ/peI5/DM5Jjco:q28+btU8pnw2fcAp39DM5hD
Threatray 2'234 similar samples on MalwareBazaar
TLSH 61E45B916928C5C6E8AD13B2E29785F528F03C6BCBD1516F71AAFF663070712460FD2E
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
149
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment slip.exe
Verdict:
Suspicious activity
Analysis date:
2021-01-21 12:05:12 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/c400be6e-adbe-405b-81dd-b5f7e0d2565e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/113272/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Launching a process
Connection attempt
Using the Windows Management Instrumentation requests
Creating a file
Creating a file in the %AppData% subdirectories
Sending a UDP request
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/587205
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 342625 Sample: Payment slip.exe Startdate: 21/01/2021 Architecture: WINDOWS Score: 100 42 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->42 44 Found malware configuration 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 5 other signatures 2->48 6 Payment slip.exe 3 2->6         started        11 kprUEGC.exe 2 2->11         started        13 kprUEGC.exe 1 2->13         started        process3 dnsIp4 30 192.168.2.3, 443, 49563, 49678 unknown unknown 6->30 28 C:\Users\user\...\Payment slip.exe.log, ASCII 6->28 dropped 50 Writes to foreign memory regions 6->50 52 Injects a PE file into a foreign processes 6->52 15 RegAsm.exe 2 4 6->15         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        file5 signatures6 process7 dnsIp8 32 us2.smtp.mailhostbox.com 208.91.198.143, 49744, 587 PUBLIC-DOMAIN-REGISTRYUS United States 15->32 24 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->24 dropped 26 C:\Windows\System32\drivers\etc\hosts, ASCII 15->26 dropped 34 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->34 36 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->36 38 Tries to steal Mail credentials (via file access) 15->38 40 7 other signatures 15->40 file9 signatures10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/87f32b29a629a3bf5d0ec129f3daf65ce665c816353b41492ef0ca56fd165ce1/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-01-21 08:35:01 UTC
AV detection:
9 of 46 (19.57%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=q7zswkngfgr36xioyeu7hwxwlttglsawgu5ucsjo6dffn7iwltqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
1e43a9cb578534543e39c04879feed5a1d9af3f58ab4c60f306bbedcb2be1470
AgentTesla
53199d2d6d3d21f6a1549eb84faa73b98e68c3c0c4ca31889852a10277125e3a
AgentTesla
559ac8d4a0d12e54467002c83f33cf63f01158a729ff2143b68a5ec42b8535ad
AgentTesla
7a39af512f69ee9235b6b5e199beb2313a42ce4d6ec9b610c6e54a131c415bd8
AgentTesla
8905819fcaa0d71e50cc1ec90e32258967e011878efb78f8db8893ad04a98174
AgentTesla
98712ca737a8d8cddc09bd41dbae64ccc816d5a846da270615108bac7023e19d
AgentTesla
a35495ca447272d3acd4164b73c1f6e881bd0dc854f7953b4047dc79d273c268
AgentTesla
a84f11e95b767a018ebd535c055ce9dd39d0ab23bf563312092662cd8cedf00b
AgentTesla
e40b50918c860d686479a98167208e4104471d38708d82f267b4cedc4242ace2
AgentTesla
+ 2'224 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210121-8q8be8adz2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
97024f17003dd3d31dab64c4d1b8251e50d428644eb59ed3692ad79ce42019cf
MD5 hash:
8cd28be4bd9a1404c6d3600db32b3ed1
SHA1 hash:
fb90b0ca51118e771390d58b19d0a404ee14cfbc
Link:
https://www.unpac.me/results/2c7c4e9a-f99d-4572-ba81-1eb4d97bc5f8/
SH256 hash:
514af7d5407788ee7589b08baca065d20829ee2a1bde4f92e0b11bf52e34a3b4
MD5 hash:
1cff2d32989aaa1c632f44efdf9aa2e4
SHA1 hash:
80f6a535747b5e93cd316e4dc29b79b4bad2cef9
Link:
https://www.unpac.me/results/2c7c4e9a-f99d-4572-ba81-1eb4d97bc5f8/
SH256 hash:
3555ff8aeb7e2a169dae2a29398ba540dde649dec568b09cb82f9ab2fbef5b78
MD5 hash:
ada2e99be694f9982c00e1974f68efe0
SHA1 hash:
45ce5d1efc49157582df401354cf4ad4e9fa71a7
Link:
https://www.unpac.me/results/2c7c4e9a-f99d-4572-ba81-1eb4d97bc5f8/
SH256 hash:
87f32b29a629a3bf5d0ec129f3daf65ce665c816353b41492ef0ca56fd165ce1
MD5 hash:
18ba144683247098a9ff944273e3d293
SHA1 hash:
9eaf6860201938fc7027b22b11a8667d2b45c979
Link:
https://www.unpac.me/results/2c7c4e9a-f99d-4572-ba81-1eb4d97bc5f8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/87f32b29a629a3bf5d0ec129f3daf65ce665c816353b41492ef0ca56fd165ce1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d4432f75ba5ee37e8d0c5495bb7c3648e9a748806741f9bfd2548c80f67cfa1c

AgentTesla

Executable exe 87f32b29a629a3bf5d0ec129f3daf65ce665c816353b41492ef0ca56fd165ce1

(this sample)

  
Dropped by
MD5 d5392ef04bef0d3e01b341d5a36c2a45
  
Dropped by
SHA256 d4432f75ba5ee37e8d0c5495bb7c3648e9a748806741f9bfd2548c80f67cfa1c
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/113272/

Comments