MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 4

Intelligence 4 IOCs YARA 1 File information Comments

SHA256 hash:	b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f
SHA3-384 hash:	96adb8aa6560ef632d196cf306f7d56509533ee6b21d057b1ce6d666ead08bb058897c5cb24c7b9286298d4619bc942b
SHA1 hash:	eee631937c273a719b4a3400242f2b41defedec3
MD5 hash:	5640851c35221c3ae7bbde053d1bb38e
humanhash:	thirteen-papa-high-jupiter
File name:	BNE9C0.tmp
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'126'912 bytes
First seen:	2020-07-16 18:38:35 UTC
Last seen:	2020-07-17 08:23:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:MBrqWzPMv/ljmxj1yUJ9aBUlUFdYjQnviOQ7Ozovy3d6p05:MhkXlc0OjQnviOQ7Cor
Threatray	9 similar samples on MalwareBazaar
TLSH	C3355B0133E8CA27E1AE5B71A0B108684BB0F516AB75DB8F5DA099FE1D937406D053FB
Reporter	malware_traffic
Tags:	AgentTesla exe

malware_traffic

Follow-up malware from a Hancitor infection on Thursday 2020-07-16

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/26954/

Detection(s):

SecuriteInfo.com.Win32.Hedo.6335.25017.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

DNS request

Sending an HTTP GET request

Result

Threat name:

Unknown

Detection:

malicious

Classification:

troj.spyw.evad

Score:

88 / 100

Link:

https://www.joesandbox.com/analysis/388748

Signature

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for sample

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries memory information (via WMI often done to detect virtual machines)

Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b60f00c8d27d8282118e085eb407d706388186487ff014b1dcf238efe1ed940f/

Threat name:

ByteCode-MSIL.Trojan.DataStealer

Status:

Malicious

First seen:

2020-07-16 18:40:07 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wyhqbsgspwbieemobbplib6xay4idbsip7ybjmo46i4o7ypnsqhq._file

Verdict:

unknown

AgentTesla

22c3a95888a885a0120c5e991ca0dda76239b5c92a1a416465edfe67d4d0a160

AgentTesla

264662e60005a099f9aaaa88e1dcee1381a3a187a158fdfbc40bbd5024407cb1

AgentTesla

36f7bb3f776e1b4d97a2cf8cd65aac04593a797a8d46936d0900041995020465

AgentTesla

422761ce807ba569d378b3130493e84a531d310d1ed8e0559d6313fdf91cd5b0

AgentTesla

4e14841c96a09f5850d1cf5fcb3526714c22d7174e3f75c8a309d8db36ecef93

AgentTesla

861878b319e66fd632f7d7623f0b56028f18d1e315680a15fc161a451ac9c788

AgentTesla

9a3b89ea2396b22020fc8e3bde1b832ca70d8b875b088f451f54e85f359380df

AgentTesla

e892e7f5b3919e1c3d92ee26e7b4313e753cad797e3397138a1ccef2b1289b1d

AgentTesla

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware discovery

Link:

https://tria.ge/reports/200716-3g7qzmd9ks/

Behaviour

Modifies system certificate store

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Checks installed software on the system

Looks up external IP address via web service

Checks installed software on the system

Looks up external IP address via web service

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/26954/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample