MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49
SHA3-384 hash: efda37253741a55cd8e5a7735868fdfe8aeea488d318dade1cae8fd9ed628dffe9748b3403bf46df1fed61d4385830d1
SHA1 hash: 1a9eca20812577969917e1ab2a5e1737faa800a8
MD5 hash: 05d715c8719139260b167f85ef0701ed
humanhash: minnesota-missouri-blue-colorado
File name:oAE1k5FWePBcJxC.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:659'968 bytes
First seen:2020-10-16 12:41:45 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:+B488/fjc3Pl0vigyD69hMWxqxQCzn6m9c8Jg2VRjRY0IkOvT1:648MA3P6KgyDbWwxPzn6m+t2Od
Threatray 599 similar samples on MalwareBazaar
TLSH A7E4DF21A799EF94E17E433BD4A4082493FAED56D372C16A7CE532CD6972FE09122307
Reporter abuse_ch
Tags:AgentTesla DHL exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

From: DHL EXPRESS DELIVERY <intraship@dhl.com>
Reply-To: result.box2019@mail.com
Subject: DHL DELIVERY(FAILD NOTIFICATION)
Attachment: DHL_FORM19837649PDF.rar (contains "oAE1k5FWePBcJxC.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71977/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/493619
Signature
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 299262 Sample: oAE1k5FWePBcJxC.exe Startdate: 16/10/2020 Architecture: WINDOWS Score: 100 29 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->29 31 Multi AV Scanner detection for dropped file 2->31 33 Sigma detected: Scheduled temp file as task from temp location 2->33 35 7 other signatures 2->35 7 oAE1k5FWePBcJxC.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\TauBwkZPUmyh.exe, PE32 7->19 dropped 21 C:\Users\...\TauBwkZPUmyh.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmp7E75.tmp, XML 7->23 dropped 25 C:\Users\user\...\oAE1k5FWePBcJxC.exe.log, ASCII 7->25 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Injects a PE file into a foreign processes 7->41 11 oAE1k5FWePBcJxC.exe 15 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 bradatch.com 45.76.248.163, 21, 49757, 49758 AS-CHOOPAUS United States 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 08:07:31 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=siqq76at3iwswd7vcwfghbp76ljfz6q4osbw72dx3kikfb3bdjeq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00d0e1852c2502d4660ce5e286b417531166690478309d95beb7a20e24fcfffa
AgentTesla
2c922884ede0f0e2a0b46d4cbb9d17a46b4d3abf5214a423e880f280faf709a6
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
874d56e400622b93fb1606b348a4fc41c112de5c69cc13ef0845d378db9ef6a6
AgentTesla
96c4bcff0df93379d1447731b9fd7738ded981e16b2a646668ae1bed2f72a320
AgentTesla
a394155e8d2a15fa55c36e9b679cb922fc07b598c207564434fc8c80ee046503
AgentTesla
c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1
AgentTesla
c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
AgentTesla
c9692914eb11d2c1cfb26bae5877943c1769994f857f0aa85b8c8f5064a2f042
AgentTesla
d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3
AgentTesla
+ 589 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201016-zqce76qzqs/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
f61fbfec6e5ee210cb03bf26a619e380825a5354087d529c9f9b3a8ddf2243d4
MD5 hash:
d1e5a45b15ecbaf7e732ac9027a4417c
SHA1 hash:
ac922d0a77e613bcee2cc690d784f5c467de000c
Link:
https://www.unpac.me/results/21e15c66-6c99-45a2-82bf-b62ebdd48565/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/21e15c66-6c99-45a2-82bf-b62ebdd48565/
SH256 hash:
d19447e4daa331b814dbab1f526ae23b711eb3a1d458eee20b443675cd9149dd
MD5 hash:
2c4e25bdf3d7a0b5f70726021d59b47c
SHA1 hash:
00b283f2c232b11225019fcfa646b89bec24731a
Link:
https://www.unpac.me/results/21e15c66-6c99-45a2-82bf-b62ebdd48565/
SH256 hash:
820349fd4c99a7fa2110e2f3b72015bb989b4a99f1ae96be42f58a223aa06c5e
MD5 hash:
19a59a55a97a8ec2fb4cc0ab546f1072
SHA1 hash:
8416c8ca3cbee4a4c17987e931c40cdec29893cf
Link:
https://www.unpac.me/results/21e15c66-6c99-45a2-82bf-b62ebdd48565/
SH256 hash:
92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49
MD5 hash:
05d715c8719139260b167f85ef0701ed
SHA1 hash:
1a9eca20812577969917e1ab2a5e1737faa800a8
Link:
https://www.unpac.me/results/21e15c66-6c99-45a2-82bf-b62ebdd48565/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d4dadc9d0abca019b02f860bc603d930c1e5e4b8689a89034091f1af12aaefc0

AgentTesla

Executable exe 92210ff813da2d2b0ff5158a6385fff2d25cfa1c74836fe877da90a287611a49

(this sample)

  
Dropped by
MD5 b444a9bd5538da60d08a7e4534cfd827
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/71977/
  
Dropped by
SHA256 d4dadc9d0abca019b02f860bc603d930c1e5e4b8689a89034091f1af12aaefc0

Comments