MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a795ffcfaa9ad62c2bccc4c7240e6a96840c1b2ee7afd6b718526e9c61e6732c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a795ffcfaa9ad62c2bccc4c7240e6a96840c1b2ee7afd6b718526e9c61e6732c
SHA3-384 hash: 2590e25265186203a60aee5ba5b9b73e82ac9390e0d694daba4a4881a1f893d0a08fd2ea8279c669eb54be14d980f3b3
SHA1 hash: 022387e23a3368bb0a0b74b5492f014595f6514f
MD5 hash: 5c14afd4ca6eecabe5eacf949cb76994
humanhash: six-delta-mountain-hydrogen
File name:Payment copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:950'784 bytes
First seen:2020-07-20 11:16:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep 12288:dkm+k7id1q9I6/kVdSC0Dycod+ik4g8ylSoDViYN1cIXEhMcVn2kypZX:VNGdudWYrE3oDVdIISCr
Threatray 10'617 similar samples on MalwareBazaar
TLSH 2E15E1C87A40E40EC59E1EBA4E51CD708370AD86F6F3E34727C66D9E297E39BC905291
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
73
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/28993/
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391435
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248105 Sample: Payment copy.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 63 Found malware configuration 2->63 65 Antivirus / Scanner detection for submitted sample 2->65 67 Sigma detected: Capture Wi-Fi password 2->67 69 8 other signatures 2->69 8 basapp.exe 3 2->8         started        11 Payment copy.exe 3 2->11         started        14 basapp.exe 2 2->14         started        process3 file4 71 Antivirus detection for dropped file 8->71 73 Multi AV Scanner detection for dropped file 8->73 75 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->75 79 2 other signatures 8->79 16 basapp.exe 13 8->16         started        43 C:\Users\user\...\Payment copy.exe.log, ASCII 11->43 dropped 20 Payment copy.exe 2 16 11->20         started        23 Payment copy.exe 11->23         started        77 Injects a PE file into a foreign processes 14->77 25 basapp.exe 14->25         started        signatures5 process6 dnsIp7 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->47 49 Installs a global keyboard hook 16->49 27 netsh.exe 16->27         started        45 premium71.web-hosting.com 198.54.125.197, 26, 49720, 49721 NAMECHEAP-NETUS United States 20->45 39 C:\Users\user\AppData\Roaming\...\basapp.exe, PE32 20->39 dropped 41 C:\Users\user\...\basapp.exe:Zone.Identifier, ASCII 20->41 dropped 51 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->51 53 Moves itself to temp directory 20->53 55 Tries to steal Mail credentials (via file access) 20->55 29 netsh.exe 3 20->29         started        57 Tries to harvest and steal ftp login credentials 25->57 59 Tries to harvest and steal browser information (history, passwords, etc) 25->59 61 Tries to harvest and steal WLAN passwords 25->61 31 netsh.exe 25->31         started        file8 signatures9 process10 process11 33 conhost.exe 27->33         started        35 conhost.exe 29->35         started        37 conhost.exe 31->37         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a795ffcfaa9ad62c2bccc4c7240e6a96840c1b2ee7afd6b718526e9c61e6732c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 11:17:54 UTC
File Type:
PE (.Net Exe)
Extracted files:
3
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=u6k77t5ktllcyk6mytdsidtks2caygzo46x5nnyykjxjyypgomwa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
065bc29beee579f4df10691c61b9d3bc38ac4c271da4eb2e1ccfce7a2e33dd93
AgentTesla
36adc32ee7a0c83b662d08a804004e8129aaef0cd75e76376ff23f0fe3dd831f
AgentTesla
4aba472bffc408315c06d8d015ac5241175d6ccfea8c3c04065ba64eccd94cfb
AgentTesla
4fba937f1e8ae7eab73de2233f36e813fc2e4e889cbf5103f72ed642ba2e76c3
AgentTesla
5c133741b443850a940c58eb5a162c485b8186d0db0c99be3962e277eecca550
AgentTesla
6af32b6b849f1186317e65f84c1d59cc03ce878ca8e3706c5d7afae2389b3c64
AgentTesla
a1d0c4b67f70957eb177330c4bac5fb51496f87b7be4e86580673a9e3442ad83
AgentTesla
ad7db1393e62d89dcb0039aa5ba64a897e88d3f6b76d146ccf419e952e57c317
AgentTesla
b8cf49555f75f9f06bdfb76150d4b3e1a01a831a7eac7b644dde084c212a43d2
AgentTesla
db96c9d3e32ee723b3f041a0f0ddd9f86117f4be9c6fc54de69d781e025584b1
AgentTesla
+ 10'607 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200720-r4zf98clcs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Modifies service
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a795ffcfaa9ad62c2bccc4c7240e6a96840c1b2ee7afd6b718526e9c61e6732c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz bd963eb7079356f5bc07e775d784055f2e93fba7edf096898e9303a50895cb2c

AgentTesla

Executable exe a795ffcfaa9ad62c2bccc4c7240e6a96840c1b2ee7afd6b718526e9c61e6732c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 bd963eb7079356f5bc07e775d784055f2e93fba7edf096898e9303a50895cb2c
Cape
Cape
https://www.capesandbox.com/analysis/28993/

Comments