MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
SHA3-384 hash: 7fc055b608289b24eb3522d23a3202e9af255f753229900f1f8b92237e0caaf35d65138f3248bd493a11f2c5f642a197
SHA1 hash: da6193b7b261d0d6d0b554a94d29ba4846b614b7
MD5 hash: 0a27a7189fa876b1b5954b1fb2e3767c
humanhash: burger-uncle-helium-floor
File name:Codes.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:733'696 bytes
First seen:2020-10-17 12:07:20 UTC
Last seen:2020-10-17 13:04:40 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:yQxMDCTcT7jfoEyfymrgNpP7WYzA9J3g2MO+tRY7//h1huZSC4Jo97xBEUd68vgt:6DCY7oJAHWnuptwpUDLhgCJ1dUEMcU
Threatray 10'812 similar samples on MalwareBazaar
TLSH 8CF45C1677718A44C2A4F3FF5996A68413E2FCCB1644871A1F2EB7E1D4B32C2AE5C24D
Reporter abuse_ch
Tags:AgentTesla exe Outlook


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: EUR01-HE1-obe.outbound.protection.outlook.com
Sending IP: 40.92.65.96
From: feno_ u201 <feno_u201@outlook.fr>
Subject: justificatif
Attachment: Codes.zip (contains "Codes.exe")

AgentTesla SMTP exfil server:
smtp.gmail.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
140
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72545/
Detection(s):
SecuriteInfo.com.Variant.Strictor.42514.3709.12620.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Creating a file in the %AppData% directory
Launching cmd.exe command interpreter
Creating a process from a recently created file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494451
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Creates multiple autostart registry keys
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses cmd line tools excessively to alter registry or file data
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 299676 Sample: Codes.exe Startdate: 17/10/2020 Architecture: WINDOWS Score: 100 64 smtp.gmail.com 2->64 78 Found malware configuration 2->78 80 Multi AV Scanner detection for submitted file 2->80 82 Yara detected AgentTesla 2->82 84 4 other signatures 2->84 10 Codes.exe 4 2->10         started        14 ljYBX.exe 2->14         started        signatures3 process4 file5 60 C:\Users\user\AppData\Local\...\Codes.exe.log, ASCII 10->60 dropped 96 Hides that the sample has been downloaded from the Internet (zone.identifier) 10->96 16 cmd.exe 1 10->16         started        18 cmd.exe 2 10->18         started        21 conhost.exe 14->21         started        signatures6 process7 file8 23 vpn.exe 3 16->23         started        26 conhost.exe 16->26         started        58 C:\Users\user\AppData\Roaming\vpn.exe, PE32 18->58 dropped 28 conhost.exe 18->28         started        process9 signatures10 86 Multi AV Scanner detection for dropped file 23->86 88 Machine Learning detection for dropped file 23->88 90 Uses cmd line tools excessively to alter registry or file data 23->90 92 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->92 30 InstallUtil.exe 2 9 23->30         started        35 cmd.exe 1 23->35         started        37 cmd.exe 23->37         started        39 5 other processes 23->39 process11 dnsIp12 66 smtp.gmail.com 172.253.120.108, 49736, 49737, 49746 GOOGLEUS United States 30->66 62 C:\Users\user\AppData\Roaming\...\ljYBX.exe, PE32 30->62 dropped 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 30->68 70 Tries to steal Mail credentials (via file access) 30->70 72 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 30->72 76 5 other signatures 30->76 74 Uses cmd line tools excessively to alter registry or file data 35->74 41 reg.exe 1 1 35->41         started        44 conhost.exe 35->44         started        46 conhost.exe 37->46         started        48 reg.exe 37->48         started        50 conhost.exe 39->50         started        52 reg.exe 39->52         started        54 conhost.exe 39->54         started        56 7 other processes 39->56 file13 signatures14 process15 signatures16 94 Creates multiple autostart registry keys 41->94
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a/
Threat name:
ByteCode-MSIL.Infostealer.Racealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-17 11:03:45 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=t37akyjbofpbm4n5dwkakgfsb4nym44xh3aatuvyj4smvxhkfrfa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
46cf0d598ead968845e7d17cfba1b30eccb7a66fa639763ba99335b3ce4d8f65
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
5b2d98988762dc2de5918566081c7d43d9dacb82cede10c6af1cbb50ab0955a9
AgentTesla
6a2cc7556c8fb10ce705ad1b1fe835b359baed8c84071683528c6fd6a8dc0332
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
76aae91b7f532cb38c1848495595dbd02d6ded35faae729a5bfc65c69d17eef8
AgentTesla
9c127e6452920ba3691a6def9002058e51ef1897413e453c044fb47b75f3552f
AgentTesla
b326e71388c8abfb8e0e74aa913863af33e3299ad79fa42dd2d3e4c44e63da2a
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
dec081544348d7000fcbd9ee30c3854733dc8b56f808f5dae28a21050fce03a2
AgentTesla
+ 10'802 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence trojan spyware family:agenttesla
Link:
https://tria.ge/reports/201017-1v8vzmzven/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
f9c341679423a3ac010b7da292ab6d1ef0ae7e995cd085ada95e1384ba3af38c
MD5 hash:
b1c72a8e99542c64507470535686ddd9
SHA1 hash:
fe3bec4b6e2b7091db68705feb59090c24c8b6ed
Link:
https://www.unpac.me/results/3f479780-1cdf-4a3a-ac03-dc11d39eb015/
SH256 hash:
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
MD5 hash:
0a27a7189fa876b1b5954b1fb2e3767c
SHA1 hash:
da6193b7b261d0d6d0b554a94d29ba4846b614b7
Link:
https://www.unpac.me/results/3f479780-1cdf-4a3a-ac03-dc11d39eb015/
SH256 hash:
4511d23fd8256f424ccb13a8e6cecea692e629c5c2f00b47f9a5a1469dbe461d
MD5 hash:
4c610ab0b16daa66e26d90dab6517245
SHA1 hash:
1197a1c0623ecd73697e63b086ed0bc0206862e0
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/3f479780-1cdf-4a3a-ac03-dc11d39eb015/
Parent samples :
9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a
3027bef9e4262ad05caadb38d130aeaed53ba3df25e3987b76f4d57a286f733b
32815b68e914e1be70f1151343016ba71e70e48358ff50a36a052ac4e8721990
84b555de54d251346360a06f9537948fcbc653c81b2c733c02791bc64c6c4b9f
ee357cfde91f8df2a686f81a4b8d72c9df2ad51645801ac8a7202b5bcff515f4
SH256 hash:
4f690f3cf792f24a571f09740cf25d0979bde8c11180a26864056643c30479cd
MD5 hash:
304cc4a1948539064cfec5b70bd83e21
SHA1 hash:
32b3754f52323fd71b8349f01c9dd4bc4fecd880
Link:
https://www.unpac.me/results/3f479780-1cdf-4a3a-ac03-dc11d39eb015/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.88
Link:
https://yomi.yoroi.company/submissions/9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:AgentTesla_extracted_bin
Create hunting rule
Author:James_inthe_box
Description:AgentTesla extracted
Rule name:AgentTesla_mod_tough_bin
Create hunting rule
Author:James_inthe_box
Reference:https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/
Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c9ed65f3e8b2c3e76cbde4e0beb836eaa6b830aed07f1fcd9d3de089de350b1f

AgentTesla

Executable exe 9efe056121715e1671bd1d940518b20f1b8673973ec009d2b84f24cadcea2c4a

(this sample)

  
Dropped by
MD5 7b7b46fdf3a0983934a68c3a0e3aa975
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72545/
  
Dropped by
SHA256 c9ed65f3e8b2c3e76cbde4e0beb836eaa6b830aed07f1fcd9d3de089de350b1f

Comments