MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1
SHA3-384 hash: a06914fc3c3cf0c25420e3e78fca6d3152702967ae23a40609cc5ef84733f040f2cb49652db4147556540d97bd015e55
SHA1 hash: 711edff9c18d35f584a304ed519952090c09558a
MD5 hash: ebf7110acc5b8ed1a4dad99aacdd7760
humanhash: beryllium-washington-vegan-saturn
File name:INSPECTION FOR H&H - NEW ORDERS.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:801'792 bytes
First seen:2020-08-10 12:49:54 UTC
Last seen:2020-08-10 16:17:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:q7ITNeAxLfubawpS9mM2LP6PF3RHVtqGp6sC1D+Qoiph:OQZxjirQ9mM2LPmVtq6eD+Fiv
Threatray 11'498 similar samples on MalwareBazaar
TLSH 1C058D1CAC6C8C11CB151377C54AA91E6268AC027BF2D5EF7B8B321B43797F2A5701AD
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: heinenhopmanindia.com
Sending IP: 176.123.10.138
From: hirak.dandapat@heinenhopmanindia.com
Subject: INSPECTION FOR H&H - ORDERS - FW: Kind Attn
Attachment: INSPECTION FOR HH - NEW ORDERS.gz (contains "INSPECTION FOR H&H - NEW ORDERS.exe")

AgentTesla SMTP exfil server:
mail.nabf.com.au:587

Intelligence

File Origin
# of uploads :
5
# of downloads :
74
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/42772/
Detection(s):
SecuriteInfo.com.ArtemisEBF7110ACC5B.28625.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Using the Windows Management Instrumentation requests
Creating a file
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/416923
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 260629 Sample: INSPECTION FOR H&H - NEW OR... Startdate: 10/08/2020 Architecture: WINDOWS Score: 100 38 Found malware configuration 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 Yara detected AgentTesla 2->42 44 9 other signatures 2->44 8 INSPECTION FOR H&H - NEW ORDERS.exe 7 2->8         started        process3 file4 26 C:\Users\user\AppData\Roaming\BVkpNGpI.exe, PE32 8->26 dropped 28 C:\Users\...\BVkpNGpI.exe:Zone.Identifier, ASCII 8->28 dropped 30 C:\Users\user\AppData\Local\Temp\tmp7F0.tmp, XML 8->30 dropped 32 INSPECTION FOR H&H - NEW ORDERS.exe.log, ASCII 8->32 dropped 46 Injects a PE file into a foreign processes 8->46 12 INSPECTION FOR H&H - NEW ORDERS.exe 4 8->12         started        16 INSPECTION FOR H&H - NEW ORDERS.exe 8->16         started        18 schtasks.exe 1 8->18         started        signatures5 process6 dnsIp7 34 nabf.com.au 122.201.97.187, 49703, 587 DREAMSCAPE-AS-APDreamscapeNetworksLimitedAU Australia 12->34 36 mail.nabf.com.au 12->36 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->48 50 Tries to steal Mail credentials (via file access) 12->50 52 Tries to harvest and steal ftp login credentials 12->52 54 2 other signatures 12->54 20 MpCmdRun.exe 1 16->20         started        22 conhost.exe 18->22         started        signatures8 process9 process10 24 conhost.exe 20->24         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-10 12:51:10 UTC
File Type:
PE (.Net Exe)
Extracted files:
24
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycfwzmk6yroujpphhesbvs3eap4sx76fmwqanqi4x62ptqiia3qq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
230e96f9118ac3ca1c34972b1d270cf12b69755bef0f049db0197552a5c61cde
AgentTesla
3758d7565ac1b7a53aaf748872acaff5d93531907d5da6d401446d06a121efd7
AgentTesla
4b99d1a940dfd192ed667c4ba4818e62f7af85cb6bf48cf967aa233dae912ea1
AgentTesla
4ede93704fe2c1189b94f751273bceb736bf383055f282c074bc7650c80ada0e
AgentTesla
62d9b3d45df47e2bb1c64913382a31a7a15989123b363593ca144a9113082408
AgentTesla
656e99ec9ba18c70b338604ef390ce523a35339c8bc556ff2963ca2ce87baec7
AgentTesla
813f91b6601d46e7f9f3d4dce52c725c7c3f17733277fc7bf88ae1597fa23a2e
AgentTesla
8836d2251b3f253f4cfd80608f8ff7596198ae1ea0949b1a6ffb895a0ac14ef2
AgentTesla
a52c72aa195562b2f469e6dbc1e2e7534aec440d4674cedb788f3800286ecbbf
AgentTesla
bc36d20a9c2283a9f9e01a995af6fde7824a0d18469983d0a6fb3899c6516b47
AgentTesla
+ 11'488 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware evasion trojan family:agenttesla
Link:
https://tria.ge/reports/200810-l2q6zc1e1e/
Behaviour
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetThreadContext
Maps connected drives based on registry
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Checks BIOS information in registry
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz ce535990d2974bc283104775e9908a38905eda87f15b998fa33a7e6d12c45007

AgentTesla

Executable exe c08b6cb15ec45d44bde739241acb6403f92bffc565a006c11cbfb4f9c10806e1

(this sample)

  
Dropped by
MD5 501fdfe7e1425f5bc02f1e7d8103f937
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ce535990d2974bc283104775e9908a38905eda87f15b998fa33a7e6d12c45007
Cape
Cape
https://www.capesandbox.com/analysis/42772/

Comments