MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a57377248d090fc6d978b44203af0d963fafd8da10e725f0d2e2ead42a3f574f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a57377248d090fc6d978b44203af0d963fafd8da10e725f0d2e2ead42a3f574f
SHA3-384 hash: 4d20e6955763e21f4f84b1b20c0684aa8dde8bb433d243a9317802eceb73659f0576666ea4c3c328dcdd185365b23069
SHA1 hash: 65af8fbc19ae5a4eafbb8831e38065ac8d2dc434
MD5 hash: 509fef275bf37fddf60eaff261c40893
humanhash: six-hydrogen-pizza-alaska
File name:URGENT UHP RFQ E010 RFQ FOR DC UPS SYSTEM CUT OFF DATE 20 AUGUST 2020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:762'880 bytes
First seen:2020-08-17 06:22:07 UTC
Last seen:2020-08-17 07:00:47 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:5Fq53/r7eVqKO3zQ71ZauPn9fXZsBipUydNEmv+YeSZWroaPxRU76+qaZmZ:iEMG/Pn9ftndNz+BrroQ0BZmZ
Threatray 10'212 similar samples on MalwareBazaar
TLSH 39F4F122B2D0C51DC06919368E85834C02B9AD856522E6EABCCB326E9D7D3DFD701FDD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.ipmi-cg.com
Sending IP: 89.223.126.111
From: LEE JUN WOO <angalos@hec-kr.com>
Subject: URGENT [HYUNDAI MOTOR CCPP] DC & UPS SYSTEM / RFQ Issuance / Cut-off date : 2020-08-05
Attachment: URGENT UHP RFQ E010 RFQ FOR DC UPS SYSTEM CUT OFF DATE 20 AUGUST 2020.IMG (contains "URGENT UHP RFQ E010 RFQ FOR DC UPS SYSTEM CUT OFF DATE 20 AUGUST 2020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
68
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46662/
Detection(s):
SecuriteInfo.com.Generic.mg.509fef275bf37fdd.15984.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432592
Signature
.NET source code contains potential unpacker
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 268571 Sample: URGENT UHP RFQ E010 RFQ FOR... Startdate: 17/08/2020 Architecture: WINDOWS Score: 100 28 cdn.onenote.net 2->28 36 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->36 38 Found malware configuration 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 9 other signatures 2->42 8 URGENT UHP RFQ E010 RFQ FOR DC UPS SYSTEM CUT OFF DATE 20 AUGUST 2020.exe 7 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\...\pZTqkrBoKsD.exe, PE32 8->20 dropped 22 C:\Users\...\pZTqkrBoKsD.exe:Zone.Identifier, ASCII 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmpA5B1.tmp, XML 8->24 dropped 26 URGENT UHP RFQ E01...AUGUST 2020.exe.log, ASCII 8->26 dropped 44 Injects a PE file into a foreign processes 8->44 12 URGENT UHP RFQ E010 RFQ FOR DC UPS SYSTEM CUT OFF DATE 20 AUGUST 2020.exe 2 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 30 smtp.mitsoi.com 12->30 32 us2.smtp.mailhostbox.com 208.91.199.225, 49745, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->32 34 192.168.2.1 unknown unknown 12->34 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->46 48 Tries to steal Mail credentials (via file access) 12->48 50 Tries to harvest and steal ftp login credentials 12->50 52 Tries to harvest and steal browser information (history, passwords, etc) 12->52 18 conhost.exe 16->18         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a57377248d090fc6d978b44203af0d963fafd8da10e725f0d2e2ead42a3f574f/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 00:28:14 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=uvzxojenbeh4nwlywrbahlynsy727wg2cdtsl4gs4lvnikr7k5hq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
109c732fb8dab15970fff8c7b9bae65b2f29edd8bef809518ddcaca8bd5ddfbb
AgentTesla
1dd86f0bc8a9e1a5a7286cc1503b0713f3a44ff4050265da57d5ad8a26f9f46f
AgentTesla
22f4207de77f987b6791843539e25e05ff3f6c010e805330210399e23c323b87
AgentTesla
2ad145ebeae4ff20eeb893b16658fe43d7557f30c746edc355a5dceb393bf8bb
AgentTesla
6dfd463b53c97a55cd469e4bb1d89eace6a3ed27039fee367c52a26443a610a9
AgentTesla
9e31b6a4dd8141b180cb557b41898e8aaee02a1ace0cf02704e43a30004ae636
AgentTesla
cadf2a43d7f85a109aed5177e99951fba7031621fa470af37a58f283b0edc886
AgentTesla
d9f4c10febc99ea723d7f3f13d92be6bd54fc18eab233e5b28c5bcff0f3c1e1e
AgentTesla
e46618f0270d9929397a5d667b7133ddfb836d08d10d8cf83687b0b71d37cf95
AgentTesla
ec24550a9fa2fdb2a0e7c739b9ac97387925808dbd832b11675f18e48a93bcc5
AgentTesla
+ 10'202 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200817-vpgrmtdd7e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a57377248d090fc6d978b44203af0d963fafd8da10e725f0d2e2ead42a3f574f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 25de3b99b33d0db9b05084419d092ca4584b815f1e7c69cb4a64deb36901eb51

AgentTesla

Executable exe a57377248d090fc6d978b44203af0d963fafd8da10e725f0d2e2ead42a3f574f

(this sample)

  
Dropped by
MD5 0cbedcd49abb2b4120164fba6117e51b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46662/
  
Dropped by
SHA256 25de3b99b33d0db9b05084419d092ca4584b815f1e7c69cb4a64deb36901eb51

Comments