MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63
SHA3-384 hash: 8363370c024933e53c029c8e7e80fde0a16fc082c46372436efe6a415ce27ec2e68c376a27956ada7ead14710c23940b
SHA1 hash: 575255d2319836c46da205bcdf0a7baace8aeeaa
MD5 hash: db13f973a6e611c1c751d74528bac914
humanhash: monkey-south-diet-beryllium
File name:d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63
Download: download sample
Signature AgentTesla
Create hunting rule
File size:755'200 bytes
First seen:2020-07-29 07:13:27 UTC
Last seen:2020-07-29 07:53:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep 12288:nqC/TkTCXyDbCLgHYazRJlHCoMe7tl+N9b9fXxIwZF+5E5/VpnLRamX/u3HyVy5V:nlOD+gHYGQuz+zhLRVXjsGwFT
Threatray 2'501 similar samples on MalwareBazaar
TLSH 2EF476143BEB6148F577BF715AF5BA974F6EF7B32A09E05A240003464922A80CD97F72
Reporter JAMESWT_WT
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
60
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/34322/
Detection(s):
SecuriteInfo.com.ArtemisDB13F973A6E6.28911.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Creating a process from a recently created file
Creating a file
Creating a file in the %AppData% subdirectories
Creating a window
Unauthorized injection to a recently created process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
Unknown
Detection:
malicious
Classification:
spre.adwa.spyw.evad
Score:
96 / 100
Link:
https://www.joesandbox.com/analysis/401495
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code references suspicious native API functions
Binary contains a suspicious time stamp
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Contains functionality to spread to USB devices (.Net source)
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 252992 Sample: bCa7I56HkH Startdate: 29/07/2020 Architecture: WINDOWS Score: 96 89 localhost.unidev.com.br 2->89 91 g.msn.com 2->91 93 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->93 105 .NET source code contains method to dynamically call methods (often used by packers) 2->105 107 .NET source code references suspicious native API functions 2->107 109 Machine Learning detection for sample 2->109 111 6 other signatures 2->111 9 bCa7I56HkH.exe 4 2->9         started        13 fefefeffer.exe 2->13         started        15 bCa7I56HkH.exe 2->15         started        17 4 other processes 2->17 signatures3 process4 file5 75 C:\Users\user\AppData\...\tmp43D3.tmp.exe, PE32 9->75 dropped 77 C:\Users\user\AppData\...\bCa7I56HkH.exe.log, ASCII 9->77 dropped 125 Contains functionality to register a low level keyboard hook 9->125 127 Injects a PE file into a foreign processes 9->127 19 bCa7I56HkH.exe 12 11 9->19         started        24 tmp43D3.tmp.exe 4 9->24         started        79 C:\Users\user\AppData\...\tmpE28.tmp.exe, PE32 13->79 dropped 129 Machine Learning detection for dropped file 13->129 26 tmpE28.tmp.exe 13->26         started        28 fefefeffer.exe 13->28         started        81 C:\Users\user\AppData\...\tmpEBDA.tmp.exe, PE32 15->81 dropped 30 tmpEBDA.tmp.exe 15->30         started        32 bCa7I56HkH.exe 15->32         started        83 C:\Users\user\AppData\...\tmp758C.tmp.exe, PE32 17->83 dropped 85 C:\Users\user\AppData\...\tmp16F2.tmp.exe, PE32 17->85 dropped 34 tmp16F2.tmp.exe 17->34         started        36 bCa7I56HkH.exe 17->36         started        38 2 other processes 17->38 signatures6 process7 dnsIp8 95 192.168.2.1 unknown unknown 19->95 63 C:\Users\user\AppData\fefefeffer.exe, PE32 19->63 dropped 65 C:\Users\user\AppData\Roaming\...\Server.exe, PE32 19->65 dropped 67 C:\Users\...\fefefeffer.exe:Zone.Identifier, ASCII 19->67 dropped 69 C:\Users\user\...\Server.exe:Zone.Identifier, ASCII 19->69 dropped 113 Installs a global keyboard hook 19->113 40 Server.exe 19->40         started        44 schtasks.exe 19->44         started        71 C:\Users\user\AppData\Roaming\...\Chrome.exe, PE32 24->71 dropped 115 Machine Learning detection for dropped file 24->115 46 powershell.exe 1 18 24->46         started        97 127.0.0.1 unknown unknown 32->97 file9 signatures10 process11 file12 73 C:\Users\user\AppData\...\tmpCF1B.tmp.exe, PE32 40->73 dropped 117 Machine Learning detection for dropped file 40->117 119 Drops PE files to the startup folder 40->119 121 Injects a PE file into a foreign processes 40->121 48 Server.exe 40->48         started        53 tmpCF1B.tmp.exe 40->53         started        55 conhost.exe 44->55         started        123 Creates multiple autostart registry keys 46->123 57 conhost.exe 46->57         started        signatures13 process14 dnsIp15 87 localhost.unidev.com.br 191.232.176.217, 2404 MICROSOFT-CORP-MSN-AS-BLOCKUS Brazil 48->87 59 C:\Users\user\AppData\...behaviorgraphoogle Chrome.exe, PE32 48->59 dropped 61 C:\...behaviorgraphoogle Chrome.exe:Zone.Identifier, ASCII 48->61 dropped 99 Creates multiple autostart registry keys 48->99 101 Installs a global keyboard hook 48->101 103 Machine Learning detection for dropped file 53->103 file16 signatures17
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63/
Threat name:
ByteCode-MSIL.Backdoor.SpyGate
Create hunting rule
Status:
Malicious
First seen:
2020-07-28 16:51:53 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
26 of 48 (54.17%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0cd84bfd6c8c5f61e644286675ece0013aafea6a538f899afc544bcbc0c00f75
AgentTesla
3a433d9d40efde586b6da1409014e23c3c08a668f3148682524406f852e239af
AgentTesla
7ed29b5971fdfce885116395debc7289bf0e27966e6c72e41f0e6902b30c6575
AgentTesla
8c3d5e134df25eda7738bbbfaea35569b90bbc9f00308ca32ff6feb76e783e11
AgentTesla
99fa08f0487650df20a089f02f3d61588a56bbbdfdfd840edde8a609b2179103
AgentTesla
9d50a832749b89ed5ac52dd84acf0ae6cd16196267401d1ad1cbfc8506f92bba
AgentTesla
9ed8b4aa4693089d71da648dcc5a33cb2263d82cd522140e063d3150747a2f6d
AgentTesla
ace64cbe1ef91a0b14602264fe0de8e3698cb8b901cbd6251b3fd11d87a0bef6
AgentTesla
b87295a4b2fb2d2f4df9d502d52e2f50a5e9b3ba9f56b17e252fa0f3022ae6f4
AgentTesla
d0030a8a47fd678d6f9f2313fdeed1898fb667bcda9167215a90d64b7744d665
AgentTesla
+ 2'491 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Link:
https://tria.ge/reports/200729-6czpljyzyn/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: AddClipboardFormatListener
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Checks processor information in registry
Suspicious behavior: AddClipboardFormatListener
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Drops file in System32 directory
Suspicious use of SetThreadContext
Modifies service
Suspicious use of SetThreadContext
Modifies service
Adds Run key to start application
Adds Run key to start application
Loads dropped DLL
Drops startup file
Drops startup file
Executes dropped EXE
Executes dropped EXE
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
NJRat
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d286b259d2a986d300bffff49e6047c2e48af4d85e6936703e7b167266fdcc63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/34322/

Comments