MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d44272fe83f10383b50e8268ffe5f7f70e1c2b355363ccde038172f6a9eb5479. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	d44272fe83f10383b50e8268ffe5f7f70e1c2b355363ccde038172f6a9eb5479
SHA3-384 hash:	59792a10bc3f2c5ad38bf40a450bf742038b3e60d079de2a183c9e8d401df742230cfc0067e715d6ea2bf172a15f857b
SHA1 hash:	b6749766413cdd7a7c6b58bb1d596a6d4478e1a4
MD5 hash:	cd53bb5a8efb8397089db59307b51406
humanhash:	uranus-football-cup-jersey
File name:	PEDIDO#4965832-pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	784'896 bytes
First seen:	2020-08-13 14:32:31 UTC
Last seen:	2020-08-13 15:54:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:5S1zkkNtheQ3Sr9BnEVLXxhG/WuaJ2fWFTa:4GQInEVLiaJ5
Threatray	9'562 similar samples on MalwareBazaar
TLSH	31F43A2D3AC57819D53D2A3180B5AAD17370B68B3B11CB1F6ADA07DD6F036CB3A4509E
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: linux1537.grserver.gr
Sending IP: 185.138.42.92
From: Penka Tzolova <p.tzolova@qualityintergroup.com>
Reply-To: Penka Tzolova <baeutyslondon@yahoo.com>
Subject: NUEVO PEDIDO (POR FAVOR COTIZAR)
Attachment: PEDIDO4965832-pdf.7z (contains "PEDIDO#4965832-pdf.exe")

AgentTesla FTP exfil server:
ftp.transdealer.cl:21

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/45244/

Detection(s):

SecuriteInfo.com.CAP_HookExKeylogger.8564.31013.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Creating a file in the %temp% subdirectories

Sending a UDP request

Creating a file

Creating a process from a recently created file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/426625

Signature

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/d44272fe83f10383b50e8268ffe5f7f70e1c2b355363ccde038172f6a9eb5479/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-08-13 14:34:07 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=2rbhf7ud6ebyhnioqjup7zpx64hbykzvknr4zxqdqfzpnkplkr4q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

630667a466b8fa4783cd9921551834f41a9e3a40712cda832dc2faf61503c00f

AgentTesla

834d1c44beb1b8c469300ca6378aa0b1283775867babb3d92fd0dae15ddd9dc7

AgentTesla

8a47ce85d2c2f882b1f9e4e4a914ad8639a8a3d1c404d0b4dd555309097c768e

AgentTesla

8d022dab121f77e8bc72f928612aa7d06f08f9e0726f509f28a4874f7b4cfe50

AgentTesla

8d4a01b04439bd4ea04fca05aa078367da91aefea6dbe7b317c3fa16ca9d3354

AgentTesla

a7d27c9cca035fac67dadf420c7adcfb2b196b4f2db64d94e13ddb6a9ea1c46a

AgentTesla

f33b42d9fc050b6bdcbb67710f711b5a4d992386004e2d730ad0c6668728e2c0

AgentTesla

fa885e667cc43b0acd85af66802d2eaa9266ceed59a74589b415aa0ef45e4ce9

AgentTesla

fac60337d24368bfafe95f8446c535901714cb300b579bc45a57c4732da7cf1d

AgentTesla

+ 9'552 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200813-ccr4v1zcrx/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/d44272fe83f10383b50e8268ffe5f7f70e1c2b355363ccde038172f6a9eb5479

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar