MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a116408d80687d8690b36b9b47833c28536a57e7689d0d79d2050cf9a41d989e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 3 File information Comments

SHA256 hash:	a116408d80687d8690b36b9b47833c28536a57e7689d0d79d2050cf9a41d989e
SHA3-384 hash:	6d0b4c353d954f207a0fd0605a2917df702057c95b9e42860435dba26288b6f09010c470f57b03afe786aebaeefb6751
SHA1 hash:	a781488314d23f67ee0f02151ce9b725d2b27f83
MD5 hash:	6069d333f9a52a258569df78f9372d3a
humanhash:	jersey-alaska-arizona-nitrogen
File name:	inquiry.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	732'672 bytes
First seen:	2020-07-28 13:09:48 UTC
Last seen:	2020-07-28 14:23:21 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	20e6d5abed83baa72fa27d4f775f9f3c (7 x AgentTesla, 5 x MassLogger, 1 x QuasarRAT)
ssdeep	12288:tH8TTCvLmK25X5CK7jQMuG6sh8ktgNYoVNXkZ0svl8Ssbx9owVShvCN:FcojK7LuBl6gNYoVVU56Sszowr
Threatray	11'435 similar samples on MalwareBazaar
TLSH	63F4AF66F6E04833D1673A3C9F1B57689C39BE002A2879466FE51C7C5F3938334692A7
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: win2.nictr.com
Sending IP: 213.238.169.30
From: info <info@gokkusagimobilya.com>
Subject: FW: new inquiry
Attachment: inquiry.gz (contains "inquiry.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/33650/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/400327

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a116408d80687d8690b36b9b47833c28536a57e7689d0d79d2050cf9a41d989e/

Threat name:

Win32.Trojan.DataStealer

Status:

Malicious

First seen:

2020-07-28 13:11:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uelebdmanb6yneftnonupaz4fbjwuv7hncoq26osaugptja5tcpa._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

205d1684668f7cdb88d3afa81e13e706565bf2f1e5ad4a13800caa2a39b82030

AgentTesla

43a5c4c699ed770d7cb1905974ce708b67d76e3d4c15734a067dafb62a9b986e

AgentTesla

50926a9216bcaa109ca6434bfe263dde7e6554c47f1771a3a0da30a0a809de6c

AgentTesla

8105cabf969ea3460541268aef53c13f8c8b12a7e99f0e6e74fe86cf2a86b8f3

AgentTesla

ce0257b16f4bfe10b1e98e9f7c332ec4fd4766a093c5462a32394282c6a5120e

AgentTesla

d09b3d3ddff303f38d76bc615b777169e2d3b672647a6e54bf99490db0efc083

AgentTesla

da7e4f326f4123632bae5f5f99c3b940e638fafa12bd71c5603089b9b599fbec

AgentTesla

e192674e243cfae4c1e3e45e31084bb4bc3434a05342f6160caf2ce4b7c0ded1

AgentTesla

e2ffaab533cf46ad69fee9f095ac45555ad8de6a0581e4579e4caeb2c190b7ee

AgentTesla

+ 11'425 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200728-83t3ebt5f2/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a116408d80687d8690b36b9b47833c28536a57e7689d0d79d2050cf9a41d989e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar