MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c72f4a1b6edb5068a4dafba53d81748bbabacf1c62525e4906e118a9427a157. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c72f4a1b6edb5068a4dafba53d81748bbabacf1c62525e4906e118a9427a157
SHA3-384 hash: 4bd12868d0fc78128d258c6d0dcb44c4364f017303b9dda5179ca7335549aba476856ede290cca6183693b6e1c550e52
SHA1 hash: 546b5e4f733d61482900361b3935cf8f49f1324c
MD5 hash: f8e6855633e84daffb30ffd5c9508e46
humanhash: georgia-apart-kansas-cardinal
File name:PCS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:835'584 bytes
First seen:2020-10-26 15:12:52 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'750 x AgentTesla, 19'656 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 6144:AppZaEHpEnOISylC0WwIlvH+GVTJLKfqO5W6b4JxQC95IunecrJSCgHH2ZnJNEYV:mJxVBlPfxdKySW6bExH9BeqY2MMZ
Threatray 10'881 similar samples on MalwareBazaar
TLSH 3A055B4E27648348C554F3FB01AAB74123A1FDEB16A1874A671FB65098A31C3BE8F74D
Reporter abuse_ch
Tags:AgentTesla exe Outlook


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: EUR03-AM5-obe.outbound.protection.outlook.com
Sending IP: 40.92.70.62
From: Delphine GIRARDS <feno_u201@outlook.fr>
Subject: codes PCS
Attachment: PCS.zip (contains "PCS.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/79258/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
81 / 100
Link:
https://www.joesandbox.com/analysis/512125
Signature
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305265 Sample: PCS.exe Startdate: 26/10/2020 Architecture: WINDOWS Score: 81 66 Found malware configuration 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 Yara detected AgentTesla 2->70 72 .NET source code contains very large array initializations 2->72 9 PCS.exe 4 2->9         started        12 applicztion.exe 2 2->12         started        14 ljYBX.exe 2->14         started        16 2 other processes 2->16 process3 signatures4 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 9->82 18 cmd.exe 1 9->18         started        20 cmd.exe 2 9->20         started        23 InstallUtil.exe 7 12->23         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        31 conhost.exe 16->31         started        process5 dnsIp6 33 applicztion.exe 4 18->33         started        36 conhost.exe 18->36         started        52 C:\Users\user\AppData\...\applicztion.exe, PE32 20->52 dropped 38 conhost.exe 20->38         started        56 173.194.76.109, 49749, 49750, 587 GOOGLEUS United States 23->56 58 smtp.gmail.com 23->58 74 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->74 76 Tries to steal Mail credentials (via file access) 23->76 78 Tries to harvest and steal ftp login credentials 23->78 80 3 other signatures 23->80 file7 signatures8 process9 signatures10 62 Multi AV Scanner detection for dropped file 33->62 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 33->64 40 InstallUtil.exe 2 9 33->40         started        45 cmd.exe 1 33->45         started        process11 dnsIp12 60 smtp.gmail.com 173.194.76.108, 49742, 49748, 587 GOOGLEUS United States 40->60 54 C:\Users\user\AppData\Roaming\...\ljYBX.exe, PE32 40->54 dropped 84 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->84 86 Tries to steal Mail credentials (via file access) 40->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 40->88 90 3 other signatures 40->90 47 reg.exe 1 1 45->47         started        50 conhost.exe 45->50         started        file13 signatures14 process15 signatures16 92 Creates multiple autostart registry keys 47->92
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9c72f4a1b6edb5068a4dafba53d81748bbabacf1c62525e4906e118a9427a157/
Threat name:
Win32.Worm.AutoRun
Create hunting rule
Status:
Malicious
First seen:
2020-10-26 13:09:02 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=trzpjinw5w2qncsnv65fhwaxjc52xlhryysslzeqnyiyvfbhuflq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
AgentTesla
46cf0d598ead968845e7d17cfba1b30eccb7a66fa639763ba99335b3ce4d8f65
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
5b2d98988762dc2de5918566081c7d43d9dacb82cede10c6af1cbb50ab0955a9
AgentTesla
6a2cc7556c8fb10ce705ad1b1fe835b359baed8c84071683528c6fd6a8dc0332
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
76aae91b7f532cb38c1848495595dbd02d6ded35faae729a5bfc65c69d17eef8
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
AgentTesla
dec081544348d7000fcbd9ee30c3854733dc8b56f808f5dae28a21050fce03a2
AgentTesla
+ 10'871 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201026-zlnz5hqz36/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:agent_tesla_2019
Create hunting rule
Author:jeFF0Falltrades
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:MALWARE_Win_AgentTeslaV2
Create hunting rule
Author:ditekSHen
Description:AgenetTesla Type 2 Keylogger payload
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

b006fb795ed57ba35c1b28a4657c157f

AgentTesla

Executable exe 9c72f4a1b6edb5068a4dafba53d81748bbabacf1c62525e4906e118a9427a157

(this sample)

  
Dropped by
MD5 b006fb795ed57ba35c1b28a4657c157f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/79258/

Comments