MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95ca4bbcf27da5dfc45c3ae4228069c7a228951c9da064276ea5285afd70dbcf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95ca4bbcf27da5dfc45c3ae4228069c7a228951c9da064276ea5285afd70dbcf
SHA3-384 hash: 0f2aa7be24c4a5c4e64066477af4bf8e106c017535e346e20f04994c37489bc28a244904d741a9892b069b6e629d7836
SHA1 hash: a61dda7f1e512022aa67c64d3e3da7b9ef397574
MD5 hash: cd75b7b96fe0f76ca8ce59fba70c597d
humanhash: high-florida-louisiana-cardinal
File name:Please Confirm Your Shipment Address.0011.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:5'647'360 bytes
First seen:2020-07-17 21:36:05 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 98304:n0IBoOgeQEIIu4Aa57HhXLAVQo3yt9Z0R2rWMHtOwO1RTKNPJ:0MmEGalvOwO1FcJ
Threatray 10'613 similar samples on MalwareBazaar
TLSH A44622383686A828C93D0D7588B859E12AB17D437E21C71F3BC6375C6F236DB7E0525A
Reporter Racco42
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
91
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/27577/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending an HTTP GET request
Creating a file in the %temp% subdirectories
Reading critical registry keys
Creating a file
Deleting a recently created file
Reading Telegram data
Running batch commands
Creating a process with a hidden window
Launching a process
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
66 / 100
Link:
https://www.joesandbox.com/analysis/389220
Signature
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 246804 Sample: Please Confirm Your Shipmen... Startdate: 19/07/2020 Architecture: WINDOWS Score: 66 32 Multi AV Scanner detection for submitted file 2->32 34 Yara detected AgentTesla 2->34 36 Sigma detected: Add file from suspicious location to autostart registry 2->36 38 2 other signatures 2->38 7 Please Confirm Your Shipment Address.0011.exe 5 2->7         started        10 pcalua.exe 1 1 2->10         started        12 pcalua.exe 1 2->12         started        process3 file4 24 C:\Users\user\AppData\Roaming\yjbuild.exe, PE32 7->24 dropped 26 C:\Users\user\...\yjbuild.exe:Zone.Identifier, ASCII 7->26 dropped 28 Please Confirm You...ddress.0011.exe.log, ASCII 7->28 dropped 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->30 dropped 14 yjbuild.exe 7->14         started        17 cmd.exe 1 7->17         started        process5 signatures6 42 Multi AV Scanner detection for dropped file 14->42 44 Machine Learning detection for dropped file 14->44 19 reg.exe 1 1 17->19         started        22 conhost.exe 17->22         started        process7 signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 19->40
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/95ca4bbcf27da5dfc45c3ae4228069c7a228951c9da064276ea5285afd70dbcf/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-17 21:38:06 UTC
AV detection:
24 of 31 (77.42%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxfexphspws57rc4hlscfadjy6rcrfi4twqgij3ouuufv7lq3phq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0471b3fae6b442df8ec3b595b5d090527127d3b9a75eb0f12f3e5647d03256c5
AgentTesla
1a32b479225283f435fe37ea7490bd319063d0cbf88ba6845821aa4eadbbdc91
AgentTesla
1fab36a6629cd4e51b3cb35425c547a7e6bb74b14d5476cfaabe03ffa249e06f
AgentTesla
248e331a82ad9163431cb93b8f896addf5a046306f35389270ce457e042dbd94
AgentTesla
2603522c96e103c7707dc88be9b18bb603fc8d57a7f8635a9c5c6365cdff955d
AgentTesla
5cf1f9fd8a8000ae58fa7607a3201c6abfbc9a352d90e589ef1d93317336c881
AgentTesla
a5efbcb25b4339ea9e004364c443afaadb86353cce9dcd9508115bda5a57be88
AgentTesla
b4ddc58acc408b2ba14056f04e2a989f229e537dc7132a48250b3565ef82ca09
AgentTesla
ca85ea610b26c1c9d595cec0108697c662f5580cd9c7d3e26d227f52bb951bff
AgentTesla
cb72b73a404d3558ab932a260d7417ca25f4f35327a9407b446ad370ff9a5e1e
AgentTesla
+ 10'603 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/200717-szdrg9x9t2/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95ca4bbcf27da5dfc45c3ae4228069c7a228951c9da064276ea5285afd70dbcf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 95ca4bbcf27da5dfc45c3ae4228069c7a228951c9da064276ea5285afd70dbcf

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/27577/

Comments