MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f
SHA3-384 hash: 021c2a4d2a5269e80784401a0f19172a21c041d4b8f49b09111211a3629a80b662eefef8b2b5ab263e8f61843c494e79
SHA1 hash: 77973102d0831bafe1f52f56ac8bd37251be193c
MD5 hash: 4c054745c3380e57030f39f95139b09a
humanhash: burger-bakerloo-nine-muppet
File name:Jun2001202.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:840'704 bytes
First seen:2020-10-02 09:10:26 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:4/nca2PRPUGeR7rfaKSosz/Vz+sg+zrYIZI85OAYxI8cRIXieQGzPyDXfHkS9/jz:4fca2teR/SfoCMkrX0As9yeQGzu0
Threatray 9'473 similar samples on MalwareBazaar
TLSH 95050157B26C1B6DE3AA47F23435413007B9AF671620E6897CD8FCDE1871B4CAA01AD7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
mail.hybridgroupco.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/67693/
Detection(s):
SecuriteInfo.com.Artemis4C054745C338.11345.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480075
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292477 Sample: Jun2001202.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 29 Multi AV Scanner detection for domain / URL 2->29 31 Found malware configuration 2->31 33 Antivirus detection for dropped file 2->33 35 11 other signatures 2->35 7 Jun2001202.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\...\JuUBggsyTAQ.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmpC26C.tmp, XML 7->21 dropped 23 C:\Users\user\AppData\...\Jun2001202.exe.log, ASCII 7->23 dropped 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->37 39 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->39 41 Injects a PE file into a foreign processes 7->41 11 Jun2001202.exe 4 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 hybridgroupco.com 66.70.204.222, 49743, 587 OVHFR Canada 11->25 27 mail.hybridgroupco.com 11->27 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-10-02 07:15:32 UTC
AV detection:
37 of 48 (77.08%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vmy237vlw7ca2sc3tetplsnnfriwauqckrvkkymrmoqbmxrrwehq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
266aba3c76dc29ae2cdc7340079dcb6e73f2638bbfc6e1df805641edaae68efd
AgentTesla
4e655c620ed90cdbcd62d7c884c807cf82c8fff069da38d293dc746839597399
AgentTesla
6dfcd16fd49c65c541603ff162b0614aabfc70548455b21c3877240855df12c8
AgentTesla
9b3a4e8995b4abd7596009d4d52e156b2d70600084c006d692e83578df3aee16
AgentTesla
9bac0e273d5e86b4be40e949d0256c1f8fc3fd65559a55524c88797b7ba0194d
AgentTesla
b745f8bc7dd3ee96edc308bcfbe51d0807a32a31be0a99b56a847d9df84cc200
AgentTesla
ce0d61881089155602217097bc0d8767227eaa1128087e0e2ea230abab0246ff
AgentTesla
e111f55125b49b9f9f07fecc8f6506062248511cda75a4428b677536db0df8d1
AgentTesla
e5a881a192dcbc6434585a8a1fa4745488f092b9713945def86fe6c2a87de5fd
AgentTesla
ff339c6387678ac6ad9e7403a579d0d52dbac97e94b65d0a6a1ea852bd10673a
AgentTesla
+ 9'463 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201002-zllm2q1mms/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f
MD5 hash:
4c054745c3380e57030f39f95139b09a
SHA1 hash:
77973102d0831bafe1f52f56ac8bd37251be193c
Link:
https://www.unpac.me/results/192dc7a3-20e5-4446-9f40-f93c4d353bc8/
SH256 hash:
d437294f5fb22f13a6c35ba4974c6a4025ca7c613163d7196640c1383570afa3
MD5 hash:
26ed2921e9b983bc36f393d588b6422f
SHA1 hash:
25bf0a9b188504b83ddf3ad8182aedc00bffa098
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/192dc7a3-20e5-4446-9f40-f93c4d353bc8/
Parent samples :
ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f
404a8a0adbd4a85e364eb3083b802c19282bfd1cb34a74ca257141db1fca34bb
f114260deddc0c7ea49c9a76fca65890679874e9d295c0015d6de8f736fb8c5e
c62b96f303f538748543747d1dacb97119dd9826b53ef6c8350b5b24d69f0006
d0ea8610ecee6c92c50af51c37a0a49f8550768609a08a5a2dcaf98bb06dcff3
37b12c3ecf410a6a0aa7f38dc28d2f7d6338a9616c53e2515724f5f7e3b6715c
SH256 hash:
e0f1f79b7a1e0479c53c843a8ea203ecd06904c0e62c6caea57e1e18b633fc26
MD5 hash:
5b55ea896a010fc6fc2153f8d024fdef
SHA1 hash:
9b53617683dbafa76a71a0ed64e8d12caa0f79af
Link:
https://www.unpac.me/results/192dc7a3-20e5-4446-9f40-f93c4d353bc8/
SH256 hash:
f7690fb2798eb8fe5c30b0e353d1c2d59a13fc14e5cf316c7776c3093e77efc7
MD5 hash:
bb6665041783a9c980e259f4307a0bba
SHA1 hash:
c1fc68d15684cf6cf755a87e8777874b051d9d27
Link:
https://www.unpac.me/results/192dc7a3-20e5-4446-9f40-f93c4d353bc8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe ab31adfeabb7c40d485b9926f5c9ad2c51605202546aa5619163a0165e31b10f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67693/

Comments