MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 b9ef185d3f879ecb2a755aef91f48ac6de736185c1f16693afe21dabc70240b9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	b9ef185d3f879ecb2a755aef91f48ac6de736185c1f16693afe21dabc70240b9
SHA3-384 hash:	e339fd53a7ae090b237c10db992eb3555d202a3143be5eabcdd58455860aacf8241b79561a91d04e4ccdf38c5ea1ed28
SHA1 hash:	aaebeb07860fd8747184dce60ae40e96303b5615
MD5 hash:	7b2bf102c84c32f698c158cdf1bc94be
humanhash:	zebra-seventeen-mirror-sink
File name:	PAYMENT.....exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	943'104 bytes
First seen:	2020-09-16 05:55:56 UTC
Last seen:	2020-09-16 06:45:05 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:DfZltGBRmJrQ5il8ljw1MP1xxgZltGBRmJrQ5il8ljw1MP1xx1k+0:bZ2BRL5i2CMPOZ2BRL5i2CMPQ+0
Threatray	2 similar samples on MalwareBazaar
TLSH	BF15012037B91B26DAB947F0656C704453FA3DBAB992F72E5CE071D910B2F208960E77
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61505/

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.26964.3337.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Creating a file in the %AppData% subdirectories

Reading critical registry keys

Forced shutdown of a system process

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Stealing user critical data

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/467491

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Allocates memory in foreign processes

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/b9ef185d3f879ecb2a755aef91f48ac6de736185c1f16693afe21dabc70240b9/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-09-16 05:32:26 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

2/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xhxrqxj7q6pmwktvllxzd5eky3phgymfyhywne5p4io2xrycic4q._file

Verdict:

unknown

AgentTesla

6400a7dde7bc06a67fb024815767d03b203a608e9e976c998ddd4d10fab34667

AgentTesla

Result

Malware family:

n/a

Score:

7/10

Tags:

persistence spyware

Link:

https://tria.ge/reports/200916-kypgxn89ws/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Adds Run key to start application

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Eldorado

Score:

0.90

Link:

https://yomi.yoroi.company/submissions/b9ef185d3f879ecb2a755aef91f48ac6de736185c1f16693afe21dabc70240b9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8958c670d4cab09e4ac54be6bb74eba4f47ec0df13819e079a45170b1cc50b1f

AgentTesla

exe b9ef185d3f879ecb2a755aef91f48ac6de736185c1f16693afe21dabc70240b9

(this sample)

Delivery method

Other

Dropped by

SHA256 8958c670d4cab09e4ac54be6bb74eba4f47ec0df13819e079a45170b1cc50b1f

Cape

https://www.capesandbox.com/analysis/61505/

Dropped by

SHA256 ddb20666ad19d907ff8dc6361e9ab00793542a736e8e17c4db64491af8c4f868

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample