MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d422f3770adfa2e74bd827848844a9b242c02f0645932b8ab7f3bf4e2bea3687. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d422f3770adfa2e74bd827848844a9b242c02f0645932b8ab7f3bf4e2bea3687
SHA3-384 hash: 042b13eccb271cae1fd999adc563acf93caacd2a5e441e295bd494d0177a4fc242374cb080363d65a8ab20e4bb6ae8cb
SHA1 hash: ec4ee7f2f077ea72ef3d428a32a082b9290fcdae
MD5 hash: 07c63d15965c487974074d80acec9c36
humanhash: twelve-uniform-tennis-sierra
File name:tbagbag.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:645'632 bytes
First seen:2020-08-11 10:59:22 UTC
Last seen:2020-08-11 12:14:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'659 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:qVmVDbuykj7GFcnVJfKV/tTqX8mQe/QxeHyv:qkwyKHnXf6TW8ml/QESv
Threatray 10'732 similar samples on MalwareBazaar
TLSH 4ED47C60F91032E5F263C52972D1ED86330AE1A2E5524FB7F72F69EC4A495C906B3F06
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: web.senson.lv
Sending IP: 83.99.232.75
From: Eng. Nasurudeen <n.jubair@saudiceramics.com>
Subject: QUOTATION AND SAMPLE OF PRODUCTS
Attachment: Quotation.xlsx

AgentTesla payload URL:
http://coronaworldhealthorgainizationfilejob.duckdns.org/tbagbag.exe

AgentTesla SMTP exfil server:
mail.focuzpartsmart.com:587

AgentTesla SMTP exfil email address:
lijo@focuzpartsmart.com

Intelligence

File Origin
# of uploads :
2
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/43256/
Detection(s):
SecuriteInfo.com.Trojan.MSIL.Basic.3.Gen.18164.18832.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Sending a UDP request
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/418513
Signature
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 261539 Sample: tbagbag.exe Startdate: 11/08/2020 Architecture: WINDOWS Score: 68 73 Yara detected AgentTesla 2->73 75 Machine Learning detection for sample 2->75 13 tbagbag.exe 2->13         started        process3 signatures4 93 Writes to foreign memory regions 13->93 95 Maps a DLL or memory area into another process 13->95 16 tbagbag.exe 13->16         started        19 RegAsm.exe 13->19         started        21 RegAsm.exe 2 13->21         started        process5 signatures6 57 Writes to foreign memory regions 16->57 59 Maps a DLL or memory area into another process 16->59 23 tbagbag.exe 16->23         started        26 RegAsm.exe 2 16->26         started        61 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 19->61 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 19->63 process7 signatures8 81 Writes to foreign memory regions 23->81 83 Maps a DLL or memory area into another process 23->83 28 tbagbag.exe 23->28         started        31 RegAsm.exe 2 23->31         started        process9 signatures10 89 Writes to foreign memory regions 28->89 91 Maps a DLL or memory area into another process 28->91 33 tbagbag.exe 28->33         started        36 RegAsm.exe 2 28->36         started        process11 signatures12 69 Writes to foreign memory regions 33->69 71 Maps a DLL or memory area into another process 33->71 38 tbagbag.exe 33->38         started        41 RegAsm.exe 33->41         started        process13 signatures14 77 Writes to foreign memory regions 38->77 79 Maps a DLL or memory area into another process 38->79 43 tbagbag.exe 38->43         started        46 RegAsm.exe 38->46         started        process15 signatures16 85 Writes to foreign memory regions 43->85 87 Maps a DLL or memory area into another process 43->87 48 tbagbag.exe 43->48         started        51 RegAsm.exe 43->51         started        process17 signatures18 65 Writes to foreign memory regions 48->65 67 Maps a DLL or memory area into another process 48->67 53 RegAsm.exe 48->53         started        55 tbagbag.exe 48->55         started        process19
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d422f3770adfa2e74bd827848844a9b242c02f0645932b8ab7f3bf4e2bea3687/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-08-11 11:01:05 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2qrpg5yk36roos6ye6ciqrfjwjbmalygiwjsxcvx6o7u4k7kg2dq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f75f6670487368f4ba9f5cf419f8f96433a2c4176bd2d07c4a12d0c83963abb
AgentTesla
50529809a9b92f2b353e94a27b850f7be76f820c9a413a5968d686026936c133
AgentTesla
56f2c7b9d0efa06b177d87a0617b2a4ccb000d72599d046e3cc014628a4ca497
AgentTesla
653f9230a0dfc61996a0213363c938cc629fe374f877febd3df485369d1f476a
AgentTesla
656e99ec9ba18c70b338604ef390ce523a35339c8bc556ff2963ca2ce87baec7
AgentTesla
6b289f4c862c4205a7debaa7217dfad7e66b56dcd3274e9b4ee530aa0e380037
AgentTesla
c31d9332ca27728baef499ef943eb5c06181f8a33cb1f49dd5597a2486281ac9
AgentTesla
cea8cae444dd5dadf01c31def4681b170907b97e0cfb468a9ff317ce7ae736a3
AgentTesla
f150b76e622e7da135e3d47a20c424aa20a6efeb839b15d301c17233bdcbc9f4
AgentTesla
f3635e26f70dfb1240a5f8c7b09ea634ee9e5b6692cb73829b0124c0b2505281
AgentTesla
+ 10'722 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200811-eambc5ewwj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d422f3770adfa2e74bd827848844a9b242c02f0645932b8ab7f3bf4e2bea3687

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Excel file xlsx 9edb4bbd34216b8f9ddf5516eb20a1328114c0f8ad2a140b990e478f31c46ac4

AgentTesla

Executable exe d422f3770adfa2e74bd827848844a9b242c02f0645932b8ab7f3bf4e2bea3687

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/429197/
  
Dropped by
MD5 88be60c95216eb84a37d49c3f0a3f246
  
Dropped by
SHA256 9edb4bbd34216b8f9ddf5516eb20a1328114c0f8ad2a140b990e478f31c46ac4
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/43256/

Comments