MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
SHA3-384 hash: 20b48be02a9db456e9a6e214accc1cc8d201b6fd3c4dacfeebf0ebece38e5b01c0c682cb9c404b768ce6a601f607bf4c
SHA1 hash: 25b3129ea5a77afdc84fb80923f21689f75a9205
MD5 hash: 7c1a4c9622e4b76e03aa95e55d9ff895
humanhash: papa-avocado-happy-bluebird
File name:index.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:522'752 bytes
First seen:2020-10-13 15:16:41 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:MSN8qmy1UT2HS8dVM3DAJwuU/MAH79mAesr/aFZ+5nhGvYBqm:dN8WmSZJwuUkARDeFZ+aG
Threatray 6 similar samples on MalwareBazaar
TLSH 7FB4C4E2D6468D99E87417FA8132DD7E52675EA9A430962A41FDB833FEF31830C25C43
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
107
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/70540/
Detection(s):
SecuriteInfo.com.Atros7.AZS.11294.11818.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Sending an HTTP GET request
Setting a keyboard event handler
Reading critical registry keys
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Sending a TCP request to an infection source
Stealing user critical data
Result
Threat name:
Agent Tesla AgentTesla
Create hunting rule
Detection:
malicious
Classification:
phis.troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489981
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Agent Tesla keylogger
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Yara detected Agent Tesla Trojan
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297462 Sample: index.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 7 other signatures 2->40 7 index.exe 1 5 2->7         started        11 index.exe 2 2->11         started        13 index.exe 2 2->13         started        process3 file4 24 C:\Users\user\AppData\Roaming\...\index.exe, PE32 7->24 dropped 26 C:\Users\user\AppData\Local\...\index.exe.log, ASCII 7->26 dropped 50 Hides that the sample has been downloaded from the Internet (zone.identifier) 7->50 15 index.exe 2 7->15         started        18 index.exe 11->18         started        signatures5 process6 signatures7 52 Antivirus detection for dropped file 15->52 54 Multi AV Scanner detection for dropped file 15->54 56 Machine Learning detection for dropped file 15->56 58 3 other signatures 15->58 20 index.exe 15 16 15->20         started        process8 dnsIp9 28 checkip.dyndns.org 20->28 30 temizlikhizmetleri.net 23.236.62.147, 443, 49737, 49738 GOOGLEUS United States 20->30 32 checkip.dyndns.com 131.186.161.70, 49736, 80 DYNDNSUS United States 20->32 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->42 44 Tries to steal Instant Messenger accounts or passwords 20->44 46 Tries to steal Mail credentials (via file access) 20->46 48 3 other signatures 20->48 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43/
Threat name:
ByteCode-MSIL.Trojan.CryptPack
Create hunting rule
Status:
Malicious
First seen:
2018-02-15 06:14:59 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
39 of 48 (81.25%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0ae13a39ba870f8b572d742a201f342a022e9a541eea06143996839edd8a8906
AgentTesla
0e4c61028e569af183b697a0097f4668d1234478778b52a4b791da02b42096a5
AgentTesla
7c207a6ad28507e302b1165849b57a09695482d5c07bae27dcbba92a55163e5f
AgentTesla
a6bf564665f281e7226d137f8da8692436c44edb6ab7881cab31282ffd6649ad
AgentTesla
e3afb8be8f04e148a4214c375eff4817f2afcfcaff0f6a0bf2f5e324d9649b1b
AgentTesla
e9a8bf4f31da146761af10a16f17c402c2de1bfbafe5f770b1ffadbe373a2aa4
AgentTesla
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201013-cxppsh8e8a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43
MD5 hash:
7c1a4c9622e4b76e03aa95e55d9ff895
SHA1 hash:
25b3129ea5a77afdc84fb80923f21689f75a9205
Link:
https://www.unpac.me/results/11fc9514-3e20-4dcd-8f95-0e473a5a5f9a/
SH256 hash:
6c5c24db2e23e5c4abaf63fa24d5e011b60bad572b53dccff32fd45ff635a325
MD5 hash:
4e72aa64c8045510e5ad18fc46bebe44
SHA1 hash:
02779f0cdbf6fd654001b5c84ac9d470157232a6
Detections:
win_agent_tesla_g1
Create hunting rule
Link:
https://www.unpac.me/results/11fc9514-3e20-4dcd-8f95-0e473a5a5f9a/
SH256 hash:
d55800a825792f55999abdad199dfa54f3184417215a298910f2c12cd9cc31ee
MD5 hash:
bfb160a89f4a607a60464631ed3ed9fd
SHA1 hash:
1c981ef3eea8548a30e8d7bf8d0d61f9224288dd
Link:
https://www.unpac.me/results/11fc9514-3e20-4dcd-8f95-0e473a5a5f9a/
SH256 hash:
2fad6349424110e54e9d8ead11682b97e46702a9397cf2aac216ae18da823d41
MD5 hash:
6b93b74fc45b5df2d095f2715df92bfd
SHA1 hash:
e422811b8e6773187aae09b26dfa9a352bb598b8
Link:
https://www.unpac.me/results/11fc9514-3e20-4dcd-8f95-0e473a5a5f9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Golroted
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aa305c826cfb235b5741ccd1c36fe44c67819447424fbfdefae798c247f7ad43

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla
Create hunting rule
Author:Stormshield
Description:Detecting HTML strings used by Agent Tesla malware
Reference:https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/
Rule name:win_agent_tesla_g1
Create hunting rule
Author:Slavo Greminger, SWITCH-CERT

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/70540/

Comments