MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 938f044098629bc2b05f3c1bfe1aa32599303a0229ffa1e3d7a29757d778c482. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 5 File information Comments

SHA256 hash:	938f044098629bc2b05f3c1bfe1aa32599303a0229ffa1e3d7a29757d778c482
SHA3-384 hash:	e3f568798b385f3da69107b065f62a87616963fea40fb051c433a0c7ae8e08315709357c818231a04d3256d326501cde
SHA1 hash:	5b18921a028beb59598f465be7509fdf42623d38
MD5 hash:	1cbf24bad0703b23f8a954eb5265d23d
humanhash:	xray-oxygen-angel-helium
File name:	Revised Invoice_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	629'248 bytes
First seen:	2020-10-12 05:50:39 UTC
Last seen:	2020-10-13 00:14:58 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	12288:RBsaQbJOBRxBOTYyG920jP1RPfFfencZGt3U+F:Ia4QP4YyGdb1xZGq
Threatray	237 similar samples on MalwareBazaar
TLSH	7AD45BF22746E85AED7A423F9DA1C0C3B26E21D73E50850DADDE421C4E13117A7E62DE
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: cp1.mywebsitebox.com
Sending IP: 46.4.227.96
From: Thanai Jitrthavonkul <thanai.j@irpc.co.th>
Subject: Wrong Iban Account Number
Attachment: Revised Invoice_pdf.zip (contains "Revised Invoice_pdf.exe")

AgentTesla SMTP exfil server:
mail.flood-protection.org:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/69901/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/487913

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/938f044098629bc2b05f3c1bfe1aa32599303a0229ffa1e3d7a29757d778c482/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-12 00:46:06 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=sohqiqeymkn4fmc7hqn74gvdewmtaoqcfh72dy6xuklvpv3yysba._file

Verdict:

unknown

AgentTesla

31e9e7ca798fc5177eb571c001d4d7ae44e141818fa31fb8fe654d44afe3df53

AgentTesla

5e18a7e53e246b740a583555514158a7ec3dfa0b36944b6d8b76fcbc9668ec91

AgentTesla

8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2

AgentTesla

a6fd278a82dad870444a8d93e3c05accdfaef779460c2f3777d9ef2441620a41

AgentTesla

b24e43f00bbbd88fea2b129c08915d84b5a7643326ff630a0cf013cb2105749c

AgentTesla

b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48

AgentTesla

c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511

AgentTesla

ccd1a40e599ad9f364ca70ef3d02b4850901fdeaddb5c9a4b66405e2bccc9ad2

AgentTesla

e2ebeb9d7ac12f7465a44a186f2bc83be704f09a003530f40474bb4546769124

AgentTesla

+ 227 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware persistence trojan family:agenttesla

Link:

https://tria.ge/reports/201012-cxhf92c6q6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

938f044098629bc2b05f3c1bfe1aa32599303a0229ffa1e3d7a29757d778c482

MD5 hash:

1cbf24bad0703b23f8a954eb5265d23d

SHA1 hash:

5b18921a028beb59598f465be7509fdf42623d38

Link:

https://www.unpac.me/results/6d5ff253-1dea-434e-a310-9c30720654ef/

SH256 hash:

89aa143c91d8cace96581d1ad1e4a67060238498168d9e412227019a838574a3

MD5 hash:

beadcc53a3524ce380a7b07b4da47d57

SHA1 hash:

7014b2381ef1ca0f0c8f1b0884315260dc73932f

Link:

https://www.unpac.me/results/6d5ff253-1dea-434e-a310-9c30720654ef/

SH256 hash:

fdab6037f0b34e3a8ba2414b3c9fe41d6b4d2312dc328173c235a3bd1ac96044

MD5 hash:

ef8b4142aa3e021c15efc93b4f2fcca9

SHA1 hash:

9d0eb8d610c70a4e226f2149cf57d93d631d285f

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/6d5ff253-1dea-434e-a310-9c30720654ef/

Parent samples :

fa094ea936fc71578f0d86b3a8b7cfb0f6f18dad451770757c2037f5d518b1b8
68d5bcd60a9ce201a3396c12a8d16a25b87e29a7b4c45460b2bfc4e4d743f0fe
938f044098629bc2b05f3c1bfe1aa32599303a0229ffa1e3d7a29757d778c482

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/6d5ff253-1dea-434e-a310-9c30720654ef/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

f8bee4108a324df32ad5a2ebafa6b7f411402a21e2598cf9db66486970f80fdd

MD5 hash:

a92da98ff6f5ae608503d074617bcc2a

SHA1 hash:

d3eafcccca011bb3a7a5ae52dd9704ceafcde472

Link:

https://www.unpac.me/results/6d5ff253-1dea-434e-a310-9c30720654ef/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/938f044098629bc2b05f3c1bfe1aa32599303a0229ffa1e3d7a29757d778c482

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar