MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d
SHA3-384 hash:	d167acf4f08f834f6dc028114095f601da574a9716b78294a6ef7b2a29f881d36583c954f290ca8c03a9404b0221cd02
SHA1 hash:	aee0a8ff81b579c0680f9bec698712b617c389ed
MD5 hash:	e90f2dfb53a2aedddef4d1ce3123b7e1
humanhash:	alabama-neptune-uranus-three
File name:	zec.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	710'656 bytes
First seen:	2020-10-13 12:24:04 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d24108c314d2f2eea5b7aeed7773006a (11 x Loki, 3 x AgentTesla, 2 x MassLogger)
ssdeep	12288:nev7BmfbLWqfNhR9yMz+uRJ3szhb9iartm1+y99rhuMP2zwPE:UGmq1htjJ3stlEXVuu2zaE
Threatray	1'954 similar samples on MalwareBazaar
TLSH	75E48D32B2AD4437C163177C9C0B5768DC25BE103A2878862BF91D7C5F392B1792AE97
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

From: Sophia Le <sophia.le@sotrans.com.vn>
Subject: QUOTATION
Attachment: RFQ.cab (contains "zec.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/70427/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Moving of the original file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/489624

Signature

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Moves itself to temp directory

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-13 12:25:11 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=x2pv4ybc3f4j3b3hkwxmotbjefsmfj2r3xexpw32b6oiaclhwvwq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

32b7e50b1e2b52a1791a053bccfabae95ef1ee46e1403c0422685955488caea2

AgentTesla

3690ee8b15550b1ac997b497e19b0b556b78cd80747d458c09ed8185a55410f3

AgentTesla

46df88abb8b7f783add8e2688ed3fc2632020fc30f6a87172264a4f434af2524

AgentTesla

7d2de8ad52206903337b1671c205238cc31d868de8dc05ea193f126b29f0eaae

AgentTesla

967acde0ffebcc8683525ad426af0896f3391217d81929592e7e09c8c359bfca

AgentTesla

a1f0a2fc55c1f89ba1021610d5d7af4fc6ea942fad665563acaecba64cd8ae70

AgentTesla

c2fc9ec57100583ddea71503ba097b6eb514c76ed77feb86e86fc080146ba186

AgentTesla

cdd24be26b9898cde599ec3163d3b4bec147ceae656616d3a21d46fa5ab8a8a8

AgentTesla

faca678e809291becfc006895ab61429136a664df87026ba22fa3517c7ff86b5

AgentTesla

+ 1'944 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/201013-5ezwpkezea/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d

MD5 hash:

e90f2dfb53a2aedddef4d1ce3123b7e1

SHA1 hash:

aee0a8ff81b579c0680f9bec698712b617c389ed

Link:

https://www.unpac.me/results/eb37f6e7-7c2d-4f87-8452-e3f447583683/

SH256 hash:

f1a1dec22759001f0e6c74db44b926c593924dcfb823c3af41836e34e12edf04

MD5 hash:

f7c17841e060db589029b2ff55ae5db2

SHA1 hash:

9a9d691f29d7efb382995b7d45f689908352b83c

Link:

https://www.unpac.me/results/eb37f6e7-7c2d-4f87-8452-e3f447583683/

SH256 hash:

8de7d4bcd4be0107aa7ad40a1c0800757f60e8c0896cc68f648d27fa417f5f56

MD5 hash:

6b2a59dae1d515c9c347e5cea158e3a3

SHA1 hash:

7b82254d8c2521e149844f9ed42642c284f9d49f

Link:

https://www.unpac.me/results/eb37f6e7-7c2d-4f87-8452-e3f447583683/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Backdoor

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/be9f5e6022d9789d876755aec74c292164c2a751ddc977db7a0f9c800967b56d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.