MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc
SHA3-384 hash: 661f040d8133446f9e893c06d5bdd2cf8fe37f5a506f1feca68570ebb9a6367cca745cc1266e04604132a0d18c976c1b
SHA1 hash: a3745f9a26352dd28498282d05335a03dab7d6ac
MD5 hash: af222e4c07e6ee91efd3efe616bc550b
humanhash: pip-bacon-uncle-venus
File name:Krishna Gangaa Enviro System Pvt Ltd.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:46'200 bytes
First seen:2021-04-07 11:20:00 UTC
Last seen:2021-04-07 12:00:34 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 768:GFo89K0KmXZKrGTd5tRgvfkDmt9a5gVuYl3TyWTNf6UKkvh:GlKE8rGTdnDmt9a5gVuYl3TyWTNf6UH
Threatray 3'872 similar samples on MalwareBazaar
TLSH 2D23D0C87E7200A9F4CB183A0FB1B7A2A7E1A7D105424C25903CE94DDD5EB162D7DF6A
Reporter abuse_ch
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:sunrKnOELgwnQzZyjhNEj
Issuer:sunrKnOELgwnQzZyjhNEj
Algorithm:sha256WithRSAEncryption
Valid from:2021-04-07T06:47:38Z
Valid to:2022-04-07T06:47:38Z
Serial number: 17b7ccbf356292587e413c6c2f760432
Thumbprint Algorithm:SHA256
Thumbprint: f5c31e7d736328225adc8d6764a8e940b21f93952c1ee6ce90824cbfb8fa3cfa
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [103.150.8.47]
Sending IP: 103.150.8.47
From: Yogesh Thakare <yogeshthakare59@gmail.com>
Subject: lab setup instrument ( Krishna gangaa enviro nagpur )
Attachment: Krishna Gangaa Enviro System Pvt Ltd.7z (contains "Krishna Gangaa Enviro System Pvt Ltd.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
145
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Krishna Gangaa Enviro System Pvt Ltd.exe
Verdict:
Malicious activity
Analysis date:
2021-04-07 11:27:45 UTC
Tags:
trojan
Link:
https://app.any.run/tasks/dba095f3-8e17-43f4-9c68-c672567f0965

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/132829/
Detection(s):
SecuriteInfo.com.Trojan.Win32.Save.a.24399.29551.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending an HTTP GET request
Sending a custom TCP request
Sending a UDP request
Creating a file
Moving a recently created file
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a process with a hidden window
Launching a service
Deleting a recently created file
Launching a process
Running batch commands
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Using the Windows Management Instrumentation requests
Moving of the original file
Adding exclusions to Windows Defender
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Unknown
Link:
https://analyze.intezer.com/analyses/c88643a3-37ca-4daa-9f4e-d11bca7ef142
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/668567
Signature
Adds a directory exclusion to Windows Defender
Found malware configuration
Hides threads from debuggers
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 383212 Sample: Krishna Gangaa Enviro Syste... Startdate: 07/04/2021 Architecture: WINDOWS Score: 100 33 mx-out02.natrohost.com 2->33 35 mail.babyjem.com.tr 2->35 43 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->43 45 Found malware configuration 2->45 47 Yara detected AgentTesla 2->47 49 3 other signatures 2->49 8 Krishna Gangaa Enviro System Pvt Ltd.exe 21 11 2->8         started        signatures3 process4 dnsIp5 39 104.21.56.119, 443, 49726 CLOUDFLARENETUS United States 8->39 41 myliverpoolnews.cf 172.67.150.212, 49725, 80 CLOUDFLARENETUS United States 8->41 31 C:\Users\user\AppData\...\AdvancedRun.exe, PE32 8->31 dropped 51 Adds a directory exclusion to Windows Defender 8->51 53 Hides threads from debuggers 8->53 13 Krishna Gangaa Enviro System Pvt Ltd.exe 2 8->13         started        16 cmd.exe 1 8->16         started        18 powershell.exe 23 8->18         started        20 2 other processes 8->20 file6 signatures7 process8 dnsIp9 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->55 57 Moves itself to temp directory 13->57 59 Tries to steal Mail credentials (via file access) 13->59 61 2 other signatures 13->61 23 conhost.exe 16->23         started        25 timeout.exe 1 16->25         started        27 conhost.exe 18->27         started        37 192.168.2.1 unknown unknown 20->37 29 AdvancedRun.exe 20->29         started        signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-07 11:20:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
14 of 29 (48.28%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uzm2iv6isvg3hsr32ts7jc6an6ldncc2vhy5kgrdjcqctmypphga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0d14d496bfc02d35be0b219adc5eddf49fe129e3249beaf7fa5cc71b712e9c63
AgentTesla
1434167f6c381546867873364610b20cbe1946ea749f6bdf82ac18453951cc12
AgentTesla
174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af
AgentTesla
364afe555167f1dddc5231ff116a558a65383cd947bbf67fc7fbdd85172ea871
AgentTesla
7152c6554215cabb53c75d1cd7d988c10351958fb7d190625e6875e3ce57756e
AgentTesla
812a71bf7c8bec5ba792953f300d7c16f4748351b2058dfca5d38cbb1680e40b
AgentTesla
9e6fdb6456dfaf737767adb44ebdb84910cec8be91a12c2b7a37c84b5aed6104
AgentTesla
cb6b64368f82e2596852532158f265a5b5d889abfce8d3025f5c8177f3462e33
AgentTesla
d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
AgentTesla
eb5af57f681421a21e682dd8adf47644803649b467f4f8da53f14de2182a76c7
AgentTesla
+ 3'862 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210407-9wa58ce6a2/
Behaviour
Delays execution with timeout.exe
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Modifies Windows Defender Real-time Protection settings
Turns off Windows Defender SpyNet reporting
Windows security bypass
Unpacked files
SH256 hash:
a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc
MD5 hash:
af222e4c07e6ee91efd3efe616bc550b
SHA1 hash:
a3745f9a26352dd28498282d05335a03dab7d6ac
Link:
https://www.unpac.me/results/a51b296e-4909-4908-a820-821a212af080/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

7z 7dee971cc909d417f623f57e012874e81534b577072789aa004547b8a3a609d7

AgentTesla

Executable exe a659a457c8954db3ca3bd4e5f48bc06f9636885aa9f1d51a2348a029b30f79cc

(this sample)

  
Dropped by
MD5 f2ac1904d46044da303023369662b3f0
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/132829/
  
Dropped by
SHA256 7dee971cc909d417f623f57e012874e81534b577072789aa004547b8a3a609d7

Comments