MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135
SHA3-384 hash: d00f677a1e12faab4af0a7217c4fe05446f2ebaf5f19dfdc84c01e6b2d55081e628a087484d59c6fcc67c8b7bd48559d
SHA1 hash: fdcf8880d00428253cffbe598ccea1c741bda3e0
MD5 hash: 54ad94e95dd90aee27c6505aeecfae0f
humanhash: speaker-florida-east-quiet
File name:Outstanding_Payments.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:926'208 bytes
First seen:2020-10-25 06:46:49 UTC
Last seen:2020-10-25 09:19:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:Rf03Jq8HcD+jrS8n6Vs84be73dEDOl0OUlXxd4/JQcJnz7HYob:Rc3Uuc6jBnWkbWRZQXxd4/vz7H
Threatray 9'497 similar samples on MalwareBazaar
TLSH FE15012934CA9B67C3268FF64077B53202BDDD86FE8F40B5D664B4AED4BE99E4350900
Reporter abuse_ch
Tags:AgentTesla BMW exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: bmw.de
Sending IP: 103.99.1.140
From: Marion Schneider(BMW Group)<SRM-Info.No-reply@bmw.de>
Subject: [URGENT] Outstanding payment for month end October
Attachment: Outstanding_Payments.rar (contains "Outstanding_Payments.exe")

AgentTesla SMTP exfil server:
mail.prcpl.com:587

AgentTesla SMTP exfil email address:
jyotika@prcpl.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75330/
Detection(s):
SecuriteInfo.com.Artemis54AD94E95DD9.24159.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508887
Signature
Allocates memory in foreign processes
Binary contains a suspicious time stamp
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303560 Sample: Outstanding_Payments.exe Startdate: 25/10/2020 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 7 other signatures 2->56 7 Outstanding_Payments.exe 6 2->7         started        11 WCPCe.exe 2 2->11         started        13 WCPCe.exe 1 2->13         started        process3 file4 32 C:\Users\user\AppData\...\HdVOeWDdFyF.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmp1F41.tmp, XML 7->34 dropped 36 C:\Users\...\Outstanding_Payments.exe.log, ASCII 7->36 dropped 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 62 Injects a PE file into a foreign processes 7->62 15 RegSvcs.exe 2 4 7->15         started        20 schtasks.exe 1 7->20         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 38 prcpl.com 173.254.75.123, 49736, 587 UNIFIEDLAYER-AS-1US United States 15->38 40 mail.prcpl.com 15->40 28 C:\Users\user\AppData\Roaming\...\WCPCe.exe, PE32 15->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 15->30 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->44 46 Tries to steal Mail credentials (via file access) 15->46 48 5 other signatures 15->48 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-25 03:49:35 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tvxfjhktymqvuy6egpqbc32bahljfhc3d4hxdwqy6ybuqgs4me2q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
14f5a4291505c26453b17f8f81861a861b6af3c5d25447f409137220383dd14d
AgentTesla
3b4fb17419bd0e04f1ccd704484fd4f26f1a583871924641a52d4f9440301947
AgentTesla
516b29be6f0d91a249adca2b26381bfa5b90cf6a643d1b621095c6425a74795b
AgentTesla
6378dda8047cccbf0228f9a7c92e6c1650255bbb4fbde0e20c05149f50518dc6
AgentTesla
7a960f3325dc0cea2f5b8e6567070ace6c848cba6b5851a97d4b066612964ee1
AgentTesla
b34d8ebdd54aa4aa65dd2254171ee49c7d275ebafbbb10fe0a9c3283044f2b29
AgentTesla
bf6685f531efdf06db86ed0e735fcbe612858213677111ad900a02164cd77efd
AgentTesla
e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07
AgentTesla
ee923a4dd9e77a796c589b01ed52bfd3d5b72502e8307c9c362a2d9f6379d197
AgentTesla
f7a21b812eaebf24b601f897d3287979247b6025b1e20841ad8b34ec5d1c6575
AgentTesla
+ 9'487 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201025-g3ltdscjls/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/8d4921d4-3a06-47af-9cfd-a9dd16bd9852/
SH256 hash:
c9dcac4cd17e3e4bc728ac5612460bab474623df8762341d449b6c75044ef676
MD5 hash:
4d1242e85176de194c5a59d333399cac
SHA1 hash:
3f0123ba3833463c8fc230d4af4564c4990f9ea2
Link:
https://www.unpac.me/results/8d4921d4-3a06-47af-9cfd-a9dd16bd9852/
SH256 hash:
37c4aa946033f84334ef8fa13978759063e69f386651af3edcb7199da39c4223
MD5 hash:
1d5a1c18ab020a1c9747823ce05360bd
SHA1 hash:
cf604e1f4d71ed3836765aec96816cc86768fe2d
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/8d4921d4-3a06-47af-9cfd-a9dd16bd9852/
Parent samples :
e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07
9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135
SH256 hash:
9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135
MD5 hash:
54ad94e95dd90aee27c6505aeecfae0f
SHA1 hash:
fdcf8880d00428253cffbe598ccea1c741bda3e0
Link:
https://www.unpac.me/results/8d4921d4-3a06-47af-9cfd-a9dd16bd9852/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 142081ee18e24984467400775591798018de1b3f0a70c99606627a0a065471c7

AgentTesla

Executable exe 9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135

(this sample)

  
Dropped by
MD5 75c7c7a62912184b7eec9cf82d2aa2e5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75330/
  
Dropped by
SHA256 142081ee18e24984467400775591798018de1b3f0a70c99606627a0a065471c7

Comments