MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a1077b012372849e6b3db7818210e573678d9c2154c5431a7a48abb2868a839f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a1077b012372849e6b3db7818210e573678d9c2154c5431a7a48abb2868a839f
SHA3-384 hash: bf1e134e8a55986fe8fbf3dcc051436bbc12f1816aa17b9819c086136c318ba622f01f60b4a87aaf53374d70a52c442c
SHA1 hash: bbff7d4c424d6e4b57e8fe46baeb9fa64952e1ff
MD5 hash: 32ae8e6f1143f587bc6378f75b69cba9
humanhash: nebraska-indigo-november-eight
File name:Wir copy-USD-- - -- - Doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:859'136 bytes
First seen:2020-09-02 13:21:27 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'452 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:6d2RrfdZ0Cu7s/E8p7xKlFZrZGJhr/RbgxAWO18A/pren6qDqhxHpkw8WE8M5jkC:6sfgriUlAJhrpkxALc1kRpFI9
Threatray 10'171 similar samples on MalwareBazaar
TLSH CF05BE6C7350BAAEC52BFD36C8131D6CDB506836E32BE647C453219C9A0D697EE121F2
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
Sanesecurity.Rogue.0hr.20200902-0908.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/457491
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281132 Sample: Wir copy-USD-- - -- - Doc.exe Startdate: 02/09/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 7 other signatures 2->37 7 Wir copy-USD-- - -- - Doc.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\Roaming\zfXmtkO.exe, PE32 7->21 dropped 23 C:\Users\user\...\zfXmtkO.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp31C8.tmp, XML 7->25 dropped 27 C:\...\Wir copy-USD-- - -- - Doc.exe.log, ASCII 7->27 dropped 39 Writes to foreign memory regions 7->39 41 Allocates memory in foreign processes 7->41 43 Injects a PE file into a foreign processes 7->43 11 RegSvcs.exe 4 7->11         started        15 RegSvcs.exe 7->15         started        17 schtasks.exe 1 7->17         started        signatures5 process6 dnsIp7 29 mail.privateemail.com 198.54.122.60, 49720, 49747, 587 NAMECHEAP-NETUS United States 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 55 2 other signatures 11->55 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->53 19 conhost.exe 17->19         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a1077b012372849e6b3db7818210e573678d9c2154c5431a7a48abb2868a839f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-02 04:18:34 UTC
File Type:
PE (.Net Exe)
Extracted files:
12
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uedxwajdokcj42z5w6ayeehfonty3hbbktcuggt2jcv3fbukqopq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
03035f39055dc379e10a3f7a79092877c022272c9fb14116c44bd9d3ed637655
AgentTesla
0416f24af0f86b36e1068ba8431cf3bf1bad0fa41ec2cfeb655f7b46ef86b5df
AgentTesla
0d4d3af44ed0aa3154be8537fa238439090826f9f5cc264b967e60699f0e9d4a
AgentTesla
2c8da0da6cbab2366291deabbb773bec304a9e49c87982a04d6ee33c712cd642
AgentTesla
350f76a14a11bfe8d35f65d21204d6f3b58f5b8b3e80946fe664c2ec28ed5964
AgentTesla
54a3195e1eb2acf84a5d65549f7497c30e161c48fc5de9754d99bdd57d1ef4c9
AgentTesla
6ef9a45a617adf0e0ff740e37c865325289a110394725c393c314a3128a2575f
AgentTesla
6fadee8038751819aef12bc1abc18e17efbc53a8cdfb977dc5cde08e5d0c1552
AgentTesla
d5683e9201b5e1962693f4fd6d5485a553ed8537c6956c6bfed7d040d20069f0
AgentTesla
dcbfc03cfe9523c25ab335f599cebcbbe8f2439ef7ab973aa9ec0330e4e7d11f
AgentTesla
+ 10'161 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200902-jaaj4hqkya/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a1077b012372849e6b3db7818210e573678d9c2154c5431a7a48abb2868a839f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/54342/

Comments