MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925
SHA3-384 hash:	1ea1beecc86171e53edee5ed92fc067c9ab193650cfe3769799f020faa457ca809c732242cb97009a89cffd47cc081cd
SHA1 hash:	3a352e78ec1280c7df4a5442e25e61ab102d0fc4
MD5 hash:	da285c21716b61681d947e4c5cad02fd
humanhash:	failed-grey-winner-mississippi
File name:	paid invoice.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	787'456 bytes
First seen:	2020-09-14 05:36:13 UTC
Last seen:	2020-09-14 13:44:07 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	a37dabab645e6a3a3647e1c3e0a095f3 (9 x MassLogger, 3 x AgentTesla, 1 x Loki)
ssdeep	12288:Vl8aA/ubk1mlLHfff17XxC/+/5Jf6LNP1AsRfBZA6fziS7iY87:LBZbh/ffFxC/IyVRfBWqz2
Threatray	1'460 similar samples on MalwareBazaar
TLSH	C8F48D22A2E04837D1B31A389C1B52B4983AFD313F3899466BECDD6C4F3865139753A7
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/58941/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/465000

Signature

.NET source code contains very large array initializations

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925/

Threat name:

Win32.Backdoor.Androm

Status:

Malicious

First seen:

2020-09-13 20:03:07 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xcfuwrywxsiuk4wbzfyr2llcb3te6a33bmwmrsahl46xo52eresq._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

agenttesla

AgentTesla

15b1fccedf30741c78e9fe3b4a7fe4996823534c0b019f1c725b140c9f92cd24

AgentTesla

165a1197676a6b92b0086bbdb79a3b615c83ec9d686449b934c4475905608b2a

AgentTesla

6391f077fabb4d0ecaf412c43d048c4abd7dd9ad0dd5ff4a42d497b88c9f545f

AgentTesla

7920cfd32426a9f0b8ad80dcae145d1befcfefcaf55faa4ad45870bf0d780c2e

AgentTesla

b164d28e3519db34d82b889bc923d06fc8f5b33dbdec005ee35361cf45910df5

AgentTesla

c1c8905198fca177bb8307d0a49143971c4c194149a659106b279a5d1be9e998

AgentTesla

d0ced70a4b700dc5e0905bf3743a224ac4722139d7507e367c32880c72ecd048

AgentTesla

d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c

AgentTesla

d31f78ca870cb00d01149673057fa11f2d241d68debca8c85c8460bd775ae431

AgentTesla

+ 1'450 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200914-s4m3h15t66/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Gamarue

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 388f024cdccbce8d33cca92f84d9176d9132fe060fad30146b54c77f6a2cf6bc

AgentTesla

exe b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925

(this sample)

Delivery method

Other

Dropped by

SHA256 388f024cdccbce8d33cca92f84d9176d9132fe060fad30146b54c77f6a2cf6bc

Cape

https://www.capesandbox.com/analysis/58941/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample