MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 958071879f7b081197e907c916e6a35a24a49c1d2c38b30ec7de0f5f66a1881b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 958071879f7b081197e907c916e6a35a24a49c1d2c38b30ec7de0f5f66a1881b
SHA3-384 hash: 20934b89601887a310fcbd9bec50cc102e0c5ea4c91f9fc9474a9a7899f1b06a12ad421fb79964e34fd79fa700e4d4e1
SHA1 hash: a7c88aaa5f4aded0d38cf955b299a706f52cf88b
MD5 hash: 2808f6e5581e773ed0b39f9fac949127
humanhash: california-river-oscar-butter
File name:IIW - UT234161112 - P.O.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:837'632 bytes
First seen:2021-02-24 07:05:42 UTC
Last seen:2021-02-24 09:04:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:e4JNP2xWQe9lXKeGlSoPDs12iLCsG16KL:R+WQe9JKBlRPDM2iL1Z
Threatray 2'820 similar samples on MalwareBazaar
TLSH 9C05126222364B19EE7903F123605F5A47B95A3F8BE3E71C1CC4E1DAB181F5A6A1F107
Reporter abuse_ch
Tags:AgentTesla exe Yahoo


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sonic306-31.consmr.mail.bf2.yahoo.com
Sending IP: 74.6.132.230
From: Avelyn Andrade <kravitzlenny80@yahoo.com>
Subject: REVISE QUOTATION IIW - UT234161112 - P.O
Attachment: IIW - UT234161112 - P.O.zip (contains "IIW - UT234161112 - P.O.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
120
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
IIW - UT234161112 - P.O.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 07:19:49 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3102f63d-b3c3-4bc3-aa75-dcb145f2ba71

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118873/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42850.6288.20751.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616242
Signature
.NET source code contains potential unpacker
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357127 Sample: IIW - UT234161112 - P.O.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 57 Multi AV Scanner detection for dropped file 2->57 59 Sigma detected: Scheduled temp file as task from temp location 2->59 61 Multi AV Scanner detection for submitted file 2->61 63 7 other signatures 2->63 7 IIW - UT234161112 - P.O.exe 6 2->7         started        11 intel.exe 5 2->11         started        13 intel.exe 4 2->13         started        process3 file4 39 C:\Users\user\AppData\...\OsfOYVAhkkGb.exe, PE32 7->39 dropped 41 C:\Users\user\AppData\Local\...\tmpD736.tmp, XML 7->41 dropped 43 C:\Users\...\IIW - UT234161112 - P.O.exe.log, ASCII 7->43 dropped 65 Injects a PE file into a foreign processes 7->65 15 IIW - UT234161112 - P.O.exe 2 5 7->15         started        19 schtasks.exe 1 7->19         started        21 IIW - UT234161112 - P.O.exe 7->21         started        23 IIW - UT234161112 - P.O.exe 7->23         started        67 Multi AV Scanner detection for dropped file 11->67 69 Machine Learning detection for dropped file 11->69 25 schtasks.exe 1 11->25         started        27 intel.exe 11->27         started        29 schtasks.exe 13->29         started        31 intel.exe 13->31         started        signatures5 process6 file7 45 C:\Users\user\AppData\Local\...\intel.exe, PE32 15->45 dropped 47 C:\Windows\System32\drivers\etc\hosts, ASCII 15->47 dropped 49 C:\Users\user\...\intel.exe:Zone.Identifier, ASCII 15->49 dropped 51 Moves itself to temp directory 15->51 53 Modifies the hosts file 15->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 15->55 33 conhost.exe 19->33         started        35 conhost.exe 25->35         started        37 conhost.exe 29->37         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/958071879f7b081197e907c916e6a35a24a49c1d2c38b30ec7de0f5f66a1881b/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 07:06:24 UTC
AV detection:
11 of 46 (23.91%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=swahdb47pmebdf7ja7ernzvdliskjha5fq4lgdwh3yhv6zvbranq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0a3044af336b6c7268fe3d1f2fb8ecda2353552bee8455a6285be0a7e55e2d44
AgentTesla
29b33dfc23c9d0fb7375b09cebd89658ed6b5cc66027512f1f697512209fc50a
AgentTesla
6b090efc032911140a9b027ae65b205eb4b6aef2ab0dec995e473470f6706240
AgentTesla
7083d07e76ede7df53ab72e7b1b3b7147ce97b81d89152838b15833c68fb5de3
AgentTesla
79562d8eedb874a33326581e124fa4c43cb24a4eb82bcadcc15502c5040bda44
AgentTesla
909fbce815ea71ef959b37bb5dc6c18eaea743019b66fae2af196473cffb17b1
AgentTesla
977e4d9c036d2572bfb14753b11e21a3f8a689baa1ce7fc3f7324df76c027384
AgentTesla
ac4bc198b74ee90e9ae296353856fe12fc688a42bdeb2b8b9b4f6c2923cd668a
AgentTesla
b093aa405373bf5f37eb5b10379ab1e10add9aaf66471e299162b60d32f98b1a
AgentTesla
c8b97cffe50d47dbbd7b9b1d13f0155709130a76bb87db3eb1fba12d3dc24705
AgentTesla
+ 2'810 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210224-pvqln7ls5n/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
b820d9ee1ec1a71fd8a8c19eaaec7a52bd127366f8be231899174513a69f57a4
MD5 hash:
8249340d21f9ba8e64e6480ec13dff0a
SHA1 hash:
afa23eb3ee98ec0a07674c016d3d64d20584d900
Link:
https://www.unpac.me/results/21415b9c-dc94-4052-a2af-a1b69600593d/
SH256 hash:
1f43e1bf62eef358aad7b2f3d4f387fe726989582285c95b1c81ea64750a5253
MD5 hash:
e6aaf54cd84dd9cc39440febf6eac982
SHA1 hash:
72d96f6e8a74d6b749bd7558f30283ef0300c6ca
Link:
https://www.unpac.me/results/21415b9c-dc94-4052-a2af-a1b69600593d/
SH256 hash:
f0a09c48af16c079c37ad0914f18897976357981fe5ee6f556ab9f9f70b9a671
MD5 hash:
f984a71581f6da5732110be2a569a392
SHA1 hash:
10de05b6b35fc5dbc00c42d59a4b850bcaae01e6
Link:
https://www.unpac.me/results/21415b9c-dc94-4052-a2af-a1b69600593d/
SH256 hash:
958071879f7b081197e907c916e6a35a24a49c1d2c38b30ec7de0f5f66a1881b
MD5 hash:
2808f6e5581e773ed0b39f9fac949127
SHA1 hash:
a7c88aaa5f4aded0d38cf955b299a706f52cf88b
Link:
https://www.unpac.me/results/21415b9c-dc94-4052-a2af-a1b69600593d/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip dadd72585de554121cb2a07bbfbabb3bd7754e7557157d0259f3040bac51a84f

AgentTesla

Executable exe 958071879f7b081197e907c916e6a35a24a49c1d2c38b30ec7de0f5f66a1881b

(this sample)

  
Dropped by
MD5 429da4ce1f2f51270b4cdca14ff0e635
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 dadd72585de554121cb2a07bbfbabb3bd7754e7557157d0259f3040bac51a84f
Cape
Cape
https://www.capesandbox.com/analysis/118873/

Comments