MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e
SHA3-384 hash: 64f2fa67224e4f465197398d25c02629224123300b40667f5151bd4cee6dff6cc1bc818c1f72fde570575c6c8401048f
SHA1 hash: 766f28f62640058cada1bef9a3f09eff0232ce8a
MD5 hash: ac7ccc8a4670da298794c3683c1a1027
humanhash: neptune-colorado-nitrogen-alabama
File name:OUTSTANDING STATEMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:765'952 bytes
First seen:2020-09-18 16:18:18 UTC
Last seen:2020-09-18 16:40:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'738 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:fbk+VONFSWXw28dFIQZ2h/bX/73kfjlTnuQtutSsNq9SRRuPB++r:Y+VOXSWg2EFIf/bX/LkoQ0tSjPBRr
Threatray 7 similar samples on MalwareBazaar
TLSH 91F4DF5032A63F06D0B89BF90204B472C3B12526B665D3887F8325FE66F5BD07E65B4B
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.Inject4.1307.24236.9157.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470300
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287502 Sample: OUTSTANDING STATEMENT.exe Startdate: 18/09/2020 Architecture: WINDOWS Score: 100 47 Multi AV Scanner detection for submitted file 2->47 49 Yara detected AgentTesla 2->49 51 Yara detected AntiVM_3 2->51 53 5 other signatures 2->53 6 OUTSTANDING STATEMENT.exe 3 2->6         started        10 DsWhv.exe 4 2->10         started        12 DsWhv.exe 3 2->12         started        process3 file4 25 C:\Users\...\OUTSTANDING STATEMENT.exe.log, ASCII 6->25 dropped 55 Writes to foreign memory regions 6->55 57 Allocates memory in foreign processes 6->57 59 Injects a PE file into a foreign processes 6->59 14 RegSvcs.exe 2 6 6->14         started        19 RegSvcs.exe 6->19         started        21 conhost.exe 10->21         started        23 conhost.exe 12->23         started        signatures5 process6 dnsIp7 29 cortlandfire.org 35.208.151.201, 49740, 587 GOOGLE-2US United States 14->29 31 192.168.2.1 unknown unknown 14->31 33 mail.cortlandfire.org 14->33 27 C:\Users\user\AppData\Roaming\...\DsWhv.exe, PE32 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Tries to steal Mail credentials (via file access) 14->37 39 Tries to harvest and steal ftp login credentials 14->39 45 2 other signatures 14->45 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->43 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 11:13:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=v6iq45k5sy7cqgy5mux4hs7drvy5wy5p3lzjaq6f5xk3ob5o7qpa._file
Verdict:
unknown
Similar samples:
3c66f6c923c31e14a95ce0888a3ddbe65035b52f8f0477a9097df9c5ff8de1c8
AgentTesla
81017d8c509a860f8c0181a8e7a33c1c6fd27e69d995a734ede171e4b999da81
AgentTesla
d6be58f8ff6c7e1a058e268255ff6ff3ec94b2e50a166cd8ba09ff466be82c5f
AgentTesla
d6e1a688daa6611f7ff1ebf6724c3ccdabc18b97b1f606ec7bc141d8b81e1082
AgentTesla
e4e051a0735b38629b41490c52c79a0bd1f612bad9994bd635adcfce1287b613
AgentTesla
e9b2a4f0d83f860386b4f5941d264b231f1e8c14899bb4a430b21f6123befcd8
AgentTesla
fd427caee9d158cc48ba9b5a0ecd3243a77b354f07321a5f80e5fdcde17aed9f
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200918-bq591n4dma/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 1c37fcce796420942ace3db0508081882399f862e8f5bd59d82d12218818f972

AgentTesla

Executable exe af910e755d963e281b1d652fc3cbe38d71db63afdaf29043c5edd5b707aefc1e

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1c37fcce796420942ace3db0508081882399f862e8f5bd59d82d12218818f972
Cape
Cape
https://www.capesandbox.com/analysis/63489/

Comments