MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48
SHA3-384 hash:	366ad67484f016ce81347693d49a183eac91b9fcf64d099f0e287fcf9bbbae515b408574f8614eaac3660fcc35840ffb
SHA1 hash:	00abdec221e84a67140e2ae239f4c64a9213b211
MD5 hash:	ef0aafefa653a36a33a9a8469f1e8159
humanhash:	stairway-arkansas-low-sink
File name:	Draft Ship Documents GB00033312TT 240HQFOBUV99034080 - JJFL70010066 - DQ-277 ETD 25 Sep.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	543'744 bytes
First seen:	2020-09-18 09:31:52 UTC
Last seen:	2020-09-18 10:42:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:KiTzYG1w0wODUfOg5ZodnvtcZCnRn0LdAA:KiTz/tUfjwnvhnRngA
Threatray	106 similar samples on MalwareBazaar
TLSH	C6C4E6F227838468CA6B4275057784C2F573228F3DA44D2D75B7EB092D2E3CA56A258F
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

109

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.Variant.Ser.Ursu.7782.11214.5837.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %temp% subdirectories

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Setting a keyboard event handler

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/469854

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Icon mismatch, binary includes an icon from a different legit application in order to fool users

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Installs a global keyboard hook

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48/

Threat name:

ByteCode-MSIL.Trojan.Kryptik

Status:

Malicious

First seen:

2020-09-18 09:33:06 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=w6loxqr2gvny7pjjkuvs75yuf4ewc7bfumfdhvnjeytpnhrtpvea._file

Verdict:

unknown

AgentTesla

0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0

AgentTesla

0e7ba6c8acc0e3de5a31e050eb287daba683c992e12c4715730ef3ccf3bbf575

AgentTesla

80f341333728513fea45dc07c8582e5a8c3ac630de39b53ef23d1742ddc0f5d2

AgentTesla

84e0b5e6daeb11cdca531a22315506ee74a14bd6b0ae9c563fde694aa955867a

AgentTesla

99afa20e22dac4e8fd5f536c3fd6c806fa6a9f52a0458c0c1a90fdc3e8a1f3f8

AgentTesla

b1c87bb82c46e28ccb5188475def1c24b3239f0508372163cd75d2abc6eaf049

AgentTesla

c639621985cf5e13b426c10f605d28767636aabd6ac4e8d16da8ddc2c2bbc356

AgentTesla

ee5d1f995e8d669ab4c9273672b02af132b998e009088e7598c3e97d6d370d0e

AgentTesla

fe13b5826a85afc204c9be0a3c8da5fb28844c5d7829413d23dd7e4229400bf4

AgentTesla

+ 96 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200918-fgj299nqt6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	MAL_RANSOM_COVID19_Apr20_1 Create hunting rule
Author:	Florian Roth
Description:	Detects ransomware distributed in COVID-19 theme
Reference:	https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/