MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 12 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990
SHA3-384 hash: 35398da9c7593a6d68605ef1e86703f39b37e2c2f3f7c3175f3387a9d430dfc3cbff863ac15844dbb87649deee8bb5a9
SHA1 hash: 33b8ebeb1fd9bcbd59cffd2da187bbfd8315476d
MD5 hash: 86cb3c0ba5433eeed9bc44142bb3f4b1
humanhash: may-vegan-lemon-item
File name:86cb3c0ba5433eeed9bc44142bb3f4b1.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'580'032 bytes
First seen:2020-10-19 11:05:32 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 49152:SZr/dAj7zaJDbpZdT6dcMxYpLqVi9xgH3a31f:qhDlZwOPp2ViLUa3
Threatray 20 similar samples on MalwareBazaar
TLSH A97522BDE2F7ADE5DBFEC2B6B5FC11009697C692A1C5F324580679B020217E099431BE
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
85
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Osno
Create hunting rule
Link:
https://www.capesandbox.com/analysis/72934/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.38220.23002.31444.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Deleting a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Creating a window
Creating a file in the Windows subdirectories
Reading critical registry keys
Launching the process to change network settings
Sending an HTTP GET request
Delayed writing of the file
Launching the default Windows debugger (dwwin.exe)
Changing the Windows explorer settings
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings to hide files extension
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Result
Threat name:
Osno
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495325
Signature
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Contains functionality to hide user accounts
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Yara detected AntiVM_3
Yara detected Osno Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300120 Sample: N2dTeO3RLu.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 78 Malicious sample detected (through community Yara rule) 2->78 80 Antivirus detection for dropped file 2->80 82 Sigma detected: Capture Wi-Fi password 2->82 84 10 other signatures 2->84 9 N2dTeO3RLu.exe 10 2->9         started        13 Chrome updaters.exe 2->13         started        15 OpenWith.exe 2->15         started        process3 file4 64 C:\Users\user\AppData\...\Chrome updaters.exe, PE32 9->64 dropped 66 C:\Users\user\AppData\...662dTeO3RLu.exe.log, ASCII 9->66 dropped 100 Drops PE files to the startup folder 9->100 17 MSBuild.exe 19 25 9->17         started        21 MSBuild.exe 9->21         started        68 C:\Users\user\AppData\Local\...\r77-x64.dll, PE32+ 13->68 dropped 70 C:\Users\user\AppData\Local\...\r77-x86.dll, PE32 13->70 dropped 23 MSBuild.exe 13->23         started        25 MSBuild.exe 13->25         started        signatures5 process6 dnsIp7 72 246.229.1.0.in-addr.arpa 17->72 74 ip-api.com 208.95.112.1, 49733, 49750, 80 TUT-ASUS United States 17->74 86 Adds a directory exclusion to Windows Defender 17->86 88 Tries to harvest and steal WLAN passwords 17->88 90 Disables the Windows task manager (taskmgr) 17->90 92 Disables the Windows registry editor (regedit) 17->92 27 cmd.exe 17->27         started        30 powershell.exe 25 17->30         started        32 cmd.exe 17->32         started        42 2 other processes 17->42 94 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->94 96 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->96 76 246.229.1.0.in-addr.arpa 23->76 98 Tries to harvest and steal browser information (history, passwords, etc) 23->98 34 cmd.exe 23->34         started        36 powershell.exe 23->36         started        38 cmd.exe 23->38         started        40 powershell.exe 23->40         started        signatures8 process9 signatures10 102 Tries to harvest and steal WLAN passwords 27->102 44 conhost.exe 27->44         started        58 3 other processes 27->58 46 conhost.exe 30->46         started        48 conhost.exe 32->48         started        50 tasklist.exe 32->50         started        60 2 other processes 34->60 52 conhost.exe 36->52         started        54 conhost.exe 38->54         started        56 conhost.exe 42->56         started        process11 process12 62 conhost.exe 46->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 02:11:46 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ssuq7axcfk2uvdkhowimsllwk5v6bi3eowlpmluololena2xfgia._file
Verdict:
suspicious
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
AgentTesla
080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72
AgentTesla
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
AgentTesla
12546fbdf863d3967becb71e06453a54c79cb38aa1fdfa9f09aae5806f284932
AgentTesla
3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
AgentTesla
5073dae4db5d373083392acc876b2cee4a9c0a06001be580dd5fbca8f6124f68
AgentTesla
88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
AgentTesla
c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
AgentTesla
c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0
AgentTesla
e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713
AgentTesla
+ 10 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla evasion persistence
Link:
https://tria.ge/reports/201019-rxrzpxz1sx/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Disables Task Manager via registry modification
AgentTesla Payload
AgentTesla
Modifies visibility of file extensions in Explorer
Unpacked files
SH256 hash:
94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990
MD5 hash:
86cb3c0ba5433eeed9bc44142bb3f4b1
SHA1 hash:
33b8ebeb1fd9bcbd59cffd2da187bbfd8315476d
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
SH256 hash:
5948037dbeb15fb6fc8a95713f777ae73c35b0cb72e8f0426eec853f88e45b7e
MD5 hash:
537828425399ffced3e4f48098f38681
SHA1 hash:
59547dbc21ecfee517b51942e38b8ef567480f83
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
SH256 hash:
173f74176d13c235d744f9e32d658f6301a6b1aa81a014060ba763b55e516fe3
MD5 hash:
4a35aaf2d4ab47f5ea6f75d2de75c831
SHA1 hash:
007676d2097defe7f793f9fb1ffe2f48c0c94ac0
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
SH256 hash:
dd512e7633ce75814962a5e05f641d8c6d701e0d5337db48419843a88bfab683
MD5 hash:
0927ba51573fa099a05dcee1894562f4
SHA1 hash:
25353ab8b656c1df5a2f40fa7bea96e65329dc12
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
SH256 hash:
be3c7205aa4543ed89661bc951e8c80af7d005c48334e4c5238e1fd839d7ebae
MD5 hash:
6fb069aad381dbfe1e8da125c619c724
SHA1 hash:
74e53c54e6cf178642b90cfef3a4b82aff93393c
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
SH256 hash:
3b39bf2024cb62e287033f409848806fb2e035fedafca757a63ca44a09b02657
MD5 hash:
59685df1ca691dedb800e5fffa9fd086
SHA1 hash:
7fb2467548cc06cd29d90af6dd5c6adf0b56aca0
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
SH256 hash:
e3f9ac02690808ee8e82aeb07cb5c2a5bea0ec6b704f12749e6e1de14b996b55
MD5 hash:
80a1256052a8c22d8417f99945170b82
SHA1 hash:
d9a167b2a7e3611717b00a037686203935900297
Link:
https://www.unpac.me/results/e4240046-a8f1-4cf4-8a8f-1f549b744ccf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 94a90f82e22ab54a8d477590c92d76576be0a3647596f62e8e5b964683572990

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/716646/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72934/

Comments