MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9dc3890b92c13e4cc8df3b4c4a6a00cb35a3bdc15b4c4d28bafbca3902525c66. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	9dc3890b92c13e4cc8df3b4c4a6a00cb35a3bdc15b4c4d28bafbca3902525c66
SHA3-384 hash:	153167d3d16c9eb195bc41208029b1d31b01b81f9718da53df2140b71016c3f85a77c15fb0f27c08a2be51d1380740c5
SHA1 hash:	fbac842175f47150df2199f40cbab353ac93d0f9
MD5 hash:	6e29cac532621cbc691a2e83bf7d6c1f
humanhash:	yellow-minnesota-neptune-table
File name:	DATABEN.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	734'208 bytes
First seen:	2020-07-30 10:16:48 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:F3F48TZ2Ola42zINYmLUqletREJm/wEMjf9rITQzsaT:c2J2LmLUgcREJ5DCT
Threatray	10'669 similar samples on MalwareBazaar
TLSH	FAF40739F9869400D53C057588A845D522F26F8B7A0DCB1F69F23B6C6E733CB6607E4A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/35468/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.22413.28085.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Launching the default Windows debugger (dwwin.exe)

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/403519

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/9dc3890b92c13e4cc8df3b4c4a6a00cb35a3bdc15b4c4d28bafbca3902525c66/

Threat name:

ByteCode-MSIL.Infostealer.Fareit

Status:

Malicious

First seen:

2020-07-30 10:18:07 UTC

AV detection:

22 of 28 (78.57%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=txbysc4sye7ezsg7hngeu2qazm22hpoblnge2kf27pfdsasslrta._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

11f3dfff225ea56d89db46efa90526a1dce3a1da0ad47ee4781e6f3104c4a2ed

AgentTesla

2579750fc31d553a0c28640684542d667f050c7cfe1fb04964ec03b1a9cf00e7

AgentTesla

681eec22b304d975c119e8b5721abd7b4ee6586361b51dda2c93f5a4c426abe4

AgentTesla

6b0f2c8d4a8c8883be658db9868b33db30eb73755e4688279c29599eb25c6099

AgentTesla

b7d226784dbf8f2a77af4b279116c799e50e20c99154baed7bfac4c91d5c9b2c

AgentTesla

b9d2e1648eb5b6ac43f87569aa94768d261700b36fd610ac222dfdecd73006a4

AgentTesla

ba4c584519a8fa8a90a906dea86ebe75bb3464190a152467d32ebdefcfc4e643

AgentTesla

ee9ee2abef95ddfdcad61d9314b9fec9deb37695427b57b85248ff3adfa8fdeb

AgentTesla

f58363f865048e85056700e2cc3f38fdf9aaaace5e2b738556a6e75e6dfba86c

AgentTesla

+ 10'659 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200730-79b864dal6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Program crash

Suspicious use of SetThreadContext

Adds Run key to start application

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.78

Link:

https://yomi.yoroi.company/submissions/9dc3890b92c13e4cc8df3b4c4a6a00cb35a3bdc15b4c4d28bafbca3902525c66

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

Rule name:	win_agent_tesla_w1 Create hunting rule
Author:	govcert_ch
Description:	Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/35468/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample