MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b64834eeb000aadaea8048153c40436a4aa12e1ed93b506e5fb7146465b4943c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	b64834eeb000aadaea8048153c40436a4aa12e1ed93b506e5fb7146465b4943c
SHA3-384 hash:	b6e922ec0eb10ff10f0cbbd4ff4f6953a888772fdb9839c855c52ad080f80fd874fcb9bca063f1f8fa64a11a02dff897
SHA1 hash:	a4c3de173a91088bd35ff1f0629dce7da9808e28
MD5 hash:	730d90960fb2a7cb93f47a8c45987b0d
humanhash:	two-illinois-april-triple
File name:	Quote 571189.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	496'128 bytes
First seen:	2020-10-27 09:05:40 UTC
Last seen:	2020-10-27 13:23:11 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'597 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:Ui003Jq8HcD+jrTxY7mmm02yZhqJJMI2FuptA8bU9U0c9:D3Uuc6jxY7mlTyZQJJN2FuEFUv
Threatray	811 similar samples on MalwareBazaar
TLSH	D2B41230B5E5BFBBD6E98FF320A5B62563F0541B0B1BE944C9B466E1D5C13804BE0E62
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: blancmariclo.com
Sending IP: 103.99.1.143
From: Pablo Silvage <mini@blancmariclo.com>
Subject: Urgent Order 01001O02
Attachment: Quote 571189.zip (contains "Quote 571189.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/79725/

Detection(s):

SecuriteInfo.com.Trojan.InjectNET.14.19730.26687.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/513104

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b64834eeb000aadaea8048153c40436a4aa12e1ed93b506e5fb7146465b4943c/

Threat name:

ByteCode-MSIL.Backdoor.NanoCore

Status:

Malicious

First seen:

2020-10-26 20:34:03 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=wzedj3vqacvnv2uajaktyqcdnjfkclq63e5va3s7w4kgiznusq6a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0cf6c64800271784234f89dd95925d58075254e5756946de94f447b6defee4fc

AgentTesla

4bb2bfa075e9870bbf9ee55dc7bf9a76f3405245380f2183d0b71fad9e9114ad

AgentTesla

8e816e44eb6ebdc6b99876142caba3fc1f8a0633edec29e8c1ae3f57e1ca55c9

AgentTesla

b1e46564ca9ed30c690528cf95e37bc1ee64d97d8da2ed16c4dc22b4478130b5

AgentTesla

bcdb474b57e41b200904ce423a9d3195d4c51de6efc2b713a2df42068fb1377d

AgentTesla

bce2ea2d104a5da7bfa34d0a5157893ae62b5d009783e62e7a557a22ba0c807a

AgentTesla

d680dbf7e5c6774f5f86088c75ed4fae322e35418f4d8c9dc545f93214267358

AgentTesla

f071c302252202ae71dd004191dad662307c670d95b53b7c0f5d0c8c039e9e7b

AgentTesla

f587268a159ff1575424cb5897096b60eaf11a2f94a40b48e844c05f03ebc004

AgentTesla

+ 801 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

persistence spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201027-earyz2jk12/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.