MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 bb95fd973d3df8164bf450b4350e8446ae82866d22fe4673f6c01de05a872901. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: bb95fd973d3df8164bf450b4350e8446ae82866d22fe4673f6c01de05a872901
SHA3-384 hash: 80b30e21ef81c0564bc8694c6be18b7aee6281e8071f725eee032960fd97d4f555f8745bd27ead26f33d7af0e87ab8aa
SHA1 hash: b2bede632ff6c90af15dec2477f23fbfed25ea32
MD5 hash: 77b43a7102eb68eb0ba9b340865dac5a
humanhash: oxygen-ohio-cup-emma
File name:77b43a7102eb68eb0ba9b340865dac5a.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'155'072 bytes
First seen:2020-12-22 08:43:15 UTC
Last seen:2020-12-22 10:34:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'473 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:LjPd/js2tNLpkHJVCE4wBNGFpkPz3Dt54u10qkclvUKaxqm0HLGDKZqVOyrusAVd:LjPd5deCE7pLD4qkcl8rqFqoqVOyg9/
Threatray 2'515 similar samples on MalwareBazaar
TLSH 8635BE243EFE501DF273AF755AE47196DAAFF6733B07E45E1090038A0613A41DE9263A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.annlap.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
300
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QTN-20-971-JA04Q7 21.doc
Verdict:
Malicious activity
Analysis date:
2020-12-21 07:48:20 UTC
Tags:
exploit CVE-2017-11882 loader keylogger stealer agenttesla
Link:
https://app.any.run/tasks/07284c93-4d51-457b-a813-0a4faf134bd3

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108685/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.482.24268.16128.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/568036
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Binary contains a suspicious time stamp
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 333090 Sample: suk1MHq6DK.exe Startdate: 22/12/2020 Architecture: WINDOWS Score: 100 55 Found malware configuration 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AgentTesla 2->59 61 7 other signatures 2->61 6 suk1MHq6DK.exe 14 2->6         started        10 newapp.exe 8 2->10         started        12 newapp.exe 4 2->12         started        process3 file4 27 C:\Users\user\AppData\...\suk1MHq6DK.exe.log, ASCII 6->27 dropped 63 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->63 65 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->65 67 Injects a PE file into a foreign processes 6->67 14 suk1MHq6DK.exe 17 11 6->14         started        69 Multi AV Scanner detection for dropped file 10->69 71 Machine Learning detection for dropped file 10->71 73 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 10->73 19 newapp.exe 4 10->19         started        21 newapp.exe 10->21         started        23 newapp.exe 8 12->23         started        25 newapp.exe 12->25         started        signatures5 process6 dnsIp7 33 smtp.annlap.com 14->33 35 us2.smtp.mailhostbox.com 208.91.198.143, 49735, 49740, 49750 PUBLIC-DOMAIN-REGISTRYUS United States 14->35 41 4 other IPs or domains 14->41 29 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 14->29 dropped 31 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 14->31 dropped 45 Tries to steal Mail credentials (via file access) 14->45 47 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->47 49 Installs a global keyboard hook 14->49 37 smtp.annlap.com 23->37 39 23.21.252.4, 443, 49783 AMAZON-AESUS United States 23->39 43 2 other IPs or domains 23->43 51 Tries to harvest and steal ftp login credentials 23->51 53 Tries to harvest and steal browser information (history, passwords, etc) 23->53 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/bb95fd973d3df8164bf450b4350e8446ae82866d22fe4673f6c01de05a872901/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-12-21 19:23:24 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=xok73fz5hx4bms7ukc2dkduei2xifbtnel7em47wyao6awuhfeaq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0626455807fad5c69df5158b623b2046f376024449d78dccc8c8c96c8ddc3614
AgentTesla
113a77824329e62d8a2268075f4e8afa9756a9e134d46e87a61618d7b426b9af
AgentTesla
2de8befd5512337e4e9c723289d086b229345708d167936e1212bcf8641f193a
AgentTesla
37499f9ef7586ba024646fc718832f1fe176fbddceb94429fedd4f43a9db99f3
AgentTesla
482e088e44a3e514ac0336587be7d148c85b9264b764ff83441d6ef5f2baf110
AgentTesla
6955f124b7a882b84ee1255e49b793fb36363a63fd377b06907052eff74501d7
AgentTesla
6b6a6cb45c75ffda98874ecb88f2fbc1ec1737222116967459117d6d8d36ecc9
AgentTesla
702d6a03b85d6271ce15b7c32a1e891a2810f9810bd2443809510d7a82e40279
AgentTesla
8bf07a30092940b9c9266ef152db99bb5cb660abe70376815eb6a6be9df01c3e
AgentTesla
ac8f156141fefcb65f941bcf4ec5ddd5c78b2388778b3a9b2e99cebd754fdfa5
AgentTesla
+ 2'505 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201222-1jgcjtktt6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
bb95fd973d3df8164bf450b4350e8446ae82866d22fe4673f6c01de05a872901
MD5 hash:
77b43a7102eb68eb0ba9b340865dac5a
SHA1 hash:
b2bede632ff6c90af15dec2477f23fbfed25ea32
Link:
https://www.unpac.me/results/41401fe4-d126-4c29-93ac-eae77b34de47/
SH256 hash:
3267f2b364d855ea5e184b0888d36f021e677ee37f043985548040ee287956fa
MD5 hash:
bf9d135d3fe9cc57c1411674b4b55158
SHA1 hash:
062ef404bd4e8bb8f3af6507ea94e84149ffe0f6
Link:
https://www.unpac.me/results/41401fe4-d126-4c29-93ac-eae77b34de47/
SH256 hash:
c70d1f71ad5cf949ec1acb50caa37ad31e2765d347652e9ac4f441f58c3f33f1
MD5 hash:
a594ee68dbc9c0b78d592d79bc5383b7
SHA1 hash:
77c30af5db8efbbde6d61b9e42888310638b27d6
Link:
https://www.unpac.me/results/41401fe4-d126-4c29-93ac-eae77b34de47/
SH256 hash:
59779ea713a9e22c634ec5ce26a84ec7f0c521a5c269f353cb2b42ce7e6200cd
MD5 hash:
5506ad9ac3867137f338dcb42466e5d6
SHA1 hash:
8b3d5c180e289030225e38af5ac0f14e0a6f149d
Link:
https://www.unpac.me/results/41401fe4-d126-4c29-93ac-eae77b34de47/
SH256 hash:
f12f4272e2f27437918528d60b96ead94b7d8edf22daec3f3b665b8ac41724e8
MD5 hash:
5b7811bbc8642183c437aa469c8de2f0
SHA1 hash:
eb2d6819161131a3ee5ae10d54cb7592921c1b56
Link:
https://www.unpac.me/results/41401fe4-d126-4c29-93ac-eae77b34de47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/bb95fd973d3df8164bf450b4350e8446ae82866d22fe4673f6c01de05a872901

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe bb95fd973d3df8164bf450b4350e8446ae82866d22fe4673f6c01de05a872901

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/934783/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/108685/

Comments