MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e
SHA3-384 hash: 05f0e4ab643efce2b366fd65e09c8e72902f6fa74d076078afad78d7c50af2fc9f03c5f773b8ea101160ee679a0c2aca
SHA1 hash: 1ddf3f7290c7bc120be2130ff1700f24c5b4dab7
MD5 hash: ffa839a710477911800799f1e676d405
humanhash: bakerloo-wisconsin-cat-pizza
File name:PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'177'024 bytes
First seen:2020-12-20 12:11:31 UTC
Last seen:2020-12-20 13:33:36 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:pUI2GKGMTKwy41W8K49S4y+9fZWR3YC8UUJc0isWlfVP3kmhdJvlMukcORrymxW8:pUI2GKGMT
Threatray 1'914 similar samples on MalwareBazaar
TLSH EEA522524A8168CBD390A4A0A38ED6457387838CC7EA7FD4BE82D25670CC1AFDB7DD54
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: slot0.vmouzaki.com
Sending IP: 45.85.90.150
From: Midlands td<office@vmouzaki.com>
Subject: PO1095
Attachment: PO10962496.zip (contains "PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
232
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe
Verdict:
Malicious activity
Analysis date:
2020-12-20 12:12:21 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/dd989978-be44-4d78-8a6d-9d27a138dd13

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108614/
Detection(s):
SecuriteInfo.com.Generic.mg.ffa839a710477911.24030.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Creating a file
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Enabling autorun by creating a file
Enabling autorun
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/567003
Signature
.NET source code contains very large array initializations
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332584 Sample: PO 10962496 C4 KWT 360 2004... Startdate: 20/12/2020 Architecture: WINDOWS Score: 100 33 Yara detected AgentTesla 2->33 35 .NET source code contains very large array initializations 2->35 37 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 2->37 39 4 other signatures 2->39 6 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 3 5 2->6         started        10 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 2 2->10         started        12 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 2 2->12         started        14 3 other processes 2->14 process3 file4 27 PO 10962496 C4 KWT...7907 RALIK DERS.exe, PE32 6->27 dropped 29 PO 10962496 C4 KWT...exe:Zone.Identifier, ASCII 6->29 dropped 31 PO 10962496 C4 KWT... RALIK DERS.exe.log, ASCII 6->31 dropped 47 Creates an undocumented autostart registry key 6->47 49 Creates autostart registry keys with suspicious names 6->49 51 Creates multiple autostart registry keys 6->51 16 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 2 6->16         started        53 Injects a PE file into a foreign processes 10->53 18 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 10->18         started        21 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 2 12->21         started        23 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 12->23         started        25 PO 10962496 C4 KWT 360 20047907 RALIK DERS.exe 14->25         started        signatures5 process6 signatures7 41 Tries to steal Mail credentials (via file access) 18->41 43 Tries to harvest and steal browser information (history, passwords, etc) 18->43 45 Installs a global keyboard hook 18->45
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e/
Threat name:
ByteCode-MSIL.Trojan.Woreflint
Create hunting rule
Status:
Malicious
First seen:
2020-12-20 12:12:12 UTC
AV detection:
12 of 29 (41.38%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xngtbthaxkindv5j2jqcqhenrw5d5a3f6ey6izj2yxbs4q6tprha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
199da37d02aa71c502adf3a623de188b25f7cb2001b4936a798ea8a6a9c20ad3
AgentTesla
5e7ab36ec389a4294220c2b5535e8389fcb1acbd09b7a87dbc2e924ee54544b6
AgentTesla
6609cf9b0aefabaaf1bccc04237e6ff32315960166bf4aa2ff5372cfb51c80d3
AgentTesla
7e85d37c83789d89d9a1fe6f7788448a0c16700d7fc3bec1ad668b51a1739ee9
AgentTesla
8ef317f2278fbe6a533e8f78b932698e986280d2f4a6716aaaaa4dc5692222a8
AgentTesla
95b6a02e3bfccd61edaa3f291e2daaed0ee8852a80f26ac7ecb6a1ed7c416845
AgentTesla
97a4e627e5182df35863f15f757d3de6f98fb7f3d94664a751df46a9d0b1eb8a
AgentTesla
b0cea585c416540b6820f91a0c1cf8d8eb6776ec0cecce0709cd2c22f15f7cc3
AgentTesla
be48a66b718f94c2379453ff845e0047504573e3c0e1a9f7ab3011dab1c06b57
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 1'904 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
persistence spyware
Link:
https://tria.ge/reports/201220-w1rramj66a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Modifies WinLogon for persistence
Unpacked files
SH256 hash:
02103b9f02223aeaf1f7ab4ef723b0167bddf254b3512c22673beaa5701a579a
MD5 hash:
2a6d24cfef119097dfd478364c29d151
SHA1 hash:
167079cf0853e5aac2c713f1011d3e7b4b8b1272
Link:
https://www.unpac.me/results/4da95814-e4af-4790-a61b-2256908ff0a8/
SH256 hash:
349330d02ff032ab0a0e22b835f942c1b77aaa521775c57f48742272da322b0c
MD5 hash:
ea83b47b413caa42dc95a5d5863a905f
SHA1 hash:
260389d6ac916a64172c811b3a65b10f678b1fb9
Link:
https://www.unpac.me/results/4da95814-e4af-4790-a61b-2256908ff0a8/
SH256 hash:
bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e
MD5 hash:
ffa839a710477911800799f1e676d405
SHA1 hash:
1ddf3f7290c7bc120be2130ff1700f24c5b4dab7
Link:
https://www.unpac.me/results/4da95814-e4af-4790-a61b-2256908ff0a8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 23740ffb73245437780bb8c2d3e3f890f72d15337a08788ceeb20bec4669bf87

AgentTesla

Executable exe bb4d30cce0ba90d1d7a9d260281c8d8dba3e8365f131e4653ac5c32e43d37c4e

(this sample)

  
Dropped by
MD5 011c2222c27f2355904a1c6cd7848860
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/108614/
  
Dropped by
SHA256 23740ffb73245437780bb8c2d3e3f890f72d15337a08788ceeb20bec4669bf87

Comments