MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08
SHA3-384 hash: 7c5f8e7398bf69adcb9b8fc9a90174a0345050b3740c7595c3d1670c7608ed34cafa3e4f7030e2ed93833bfb3b47458c
SHA1 hash: b8eb4951905a98c681ab4e0880f2fe0f9486199b
MD5 hash: ff18116da6e6e7dcc0af7e07d67027e4
humanhash: mirror-comet-maryland-golf
File name:Bank paymentcopy001#pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:50'624 bytes
First seen:2020-12-03 17:47:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:8zh/rLvQUzy36qscTRwyLbenb2oDYddLHPX25UfnUf2hn:8zh/nvQ2MhbeaoUDLHPXQUvUfi
Threatray 1'661 similar samples on MalwareBazaar
TLSH 9C33088A3B4D9E13F6A6AF74B3D361E3CE55934339274FA5C8F9026316419C06B42AD3
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sonic308-18.consmr.mail.ir2.yahoo.com
Sending IP: 77.238.178.146
From: Very !mportant????! <gabevvarna01@yahoo.com>
Subject: Fw: Wire Transfer Payment
Attachment: Bank paymentcopy001pdf.rar (contains "Bank paymentcopy001#pdf.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
216
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106671/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/555019
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Executable has a suspicious name (potential lure to open the executable)
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 326613 Sample: Bank paymentcopy001#pdf.exe Startdate: 03/12/2020 Architecture: WINDOWS Score: 100 64 smtp.yandex.ru 2->64 66 smtp.yandex.com 2->66 78 Found malware configuration 2->78 80 Multi AV Scanner detection for dropped file 2->80 82 Multi AV Scanner detection for submitted file 2->82 84 8 other signatures 2->84 8 Bank paymentcopy001#pdf.exe 3 2->8         started        12 Bank paymentcopy001#pdf.exe 18 5 2->12         started        15 Bank paymentcopy001#pdf.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 72 172.67.143.180, 443, 49740, 49756 CLOUDFLARENETUS United States 8->72 94 Hides threads from debuggers 8->94 96 Injects a PE file into a foreign processes 8->96 19 Bank paymentcopy001#pdf.exe 8->19         started        23 cmd.exe 1 8->23         started        25 WerFault.exe 8->25         started        74 hastebin.com 104.24.127.89, 443, 49736, 49743 CLOUDFLARENETUS United States 12->74 58 C:\Users\user\...\Bank paymentcopy001#pdf.exe, PE32 12->58 dropped 60 Bank paymentcopy00...exe:Zone.Identifier, ASCII 12->60 dropped 98 Creates an undocumented autostart registry key 12->98 27 cmd.exe 1 12->27         started        35 2 other processes 12->35 100 Creates autostart registry keys with suspicious names 15->100 102 Creates multiple autostart registry keys 15->102 29 cmd.exe 15->29         started        76 192.168.2.1 unknown unknown 17->76 62 C:\Users\...\Bank paymentcopy001#pdf.exe.log, ASCII 17->62 dropped 31 cmd.exe 17->31         started        33 cmd.exe 17->33         started        37 3 other processes 17->37 file6 signatures7 process8 dnsIp9 68 smtp.yandex.ru 77.88.21.158, 49783, 49784, 49785 YANDEXRU Russian Federation 19->68 70 smtp.yandex.com 19->70 86 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->86 88 Tries to steal Mail credentials (via file access) 19->88 90 Tries to harvest and steal ftp login credentials 19->90 92 2 other signatures 19->92 39 conhost.exe 23->39         started        41 timeout.exe 23->41         started        43 timeout.exe 1 27->43         started        46 conhost.exe 27->46         started        52 2 other processes 29->52 48 conhost.exe 31->48         started        50 timeout.exe 31->50         started        54 2 other processes 33->54 56 2 other processes 37->56 signatures10 process11 signatures12 104 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 43->104 106 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 43->106
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08/
Threat name:
ByteCode-MSIL.Trojan.Malrep
Create hunting rule
Status:
Malicious
First seen:
2020-12-03 17:48:10 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=seu5pfgpwrzh4asfaz4xemi5ju65nprsslpo4qcqebfvszfe74ea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
08ae3a735881e41099740e2e79fcd4107d5e94fe9267e28d6bf8bd9fd80a7ce6
AgentTesla
0c316b6e9b1bb80efe9a27b513c7c091cd047d5bf437b88db13f8e45a40e89d6
AgentTesla
51d5859f266a7b373d71b9fd71d2eec4975a8d35fb01486f624b9235120e12d8
AgentTesla
53844995638262e794ee25db674e959f123975f40db830a57c7715231eeb7ce5
AgentTesla
61060fa22e8fe8c29f2cd7b2b4b9bc4d350fc9331a6dfcbc2f873bec00f6818d
AgentTesla
8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90
AgentTesla
985bab9e10b690bc2c378a3bf510f89746edfda88e33a3a393bda12e6d040fdc
AgentTesla
9d1d3e7e960ed2939190d8cb99aec48b885dabfc1b9f61bbfcb5c4a5abd7e6ab
AgentTesla
b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb
AgentTesla
e7b159209d33644fbf175828dfce46b31db1c74ae69a3183e59a7226c84391dc
AgentTesla
+ 1'651 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201203-bx6m2s6xax/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08
MD5 hash:
ff18116da6e6e7dcc0af7e07d67027e4
SHA1 hash:
b8eb4951905a98c681ab4e0880f2fe0f9486199b
Link:
https://www.unpac.me/results/1f6233bc-46e0-46f5-9dfd-9ea8a5882af9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d4292cfc7f6a582ef548138b033298121430a5189144033f4f73990683c8da87

AgentTesla

Executable exe 9129d794cfb4727e0245067972311d4d3dd6be3292deee4050204b5964a4ff08

(this sample)

  
Dropped by
MD5 0756fd9e55d570de47aeba3013fe6a40
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 d4292cfc7f6a582ef548138b033298121430a5189144033f4f73990683c8da87
Cape
Cape
https://www.capesandbox.com/analysis/106671/

Comments