MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3
SHA3-384 hash: 53bc5a42208241304bfa5f7f6abd97cd5106de4e4068a6b3d853a0f548e1020a28fedd68008247720a5a9e05a7230723
SHA1 hash: 316282c1370c7f68a100e938c6b136d71c74cd6d
MD5 hash: 737c40250e86476ada3c5ddc4984144b
humanhash: indigo-leopard-emma-berlin
File name:west_gCxd.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:547'840 bytes
First seen:2020-10-02 09:06:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:bHDOTSGHQMKqZ9CgSHuSEQe7x2u4hp8urzncG1oCm:/ljDggu9/7f44encioL
Threatray 257 similar samples on MalwareBazaar
TLSH D7C4D06D826D411ACCED057020B7652B5FBCEBE76CC7E34945A8AC746878900237ADEF
Reporter abuse_ch
Tags:AgentTesla exe HSBC


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: mwweb08oc.mail2world.com
Sending IP: 74.202.142.113
From: HSBC<ealerts.3844586.902237.3088672836@informationservices.hsbc.com.hk>
Subject: HSBC: Pre-approved Principal Payment Holiday Scheme for Corporate Customers
Attachment: HS_gCxd.zip (contains "west_gCxd.exe")

AgentTesla C2:
amronntl.com/jp/inc/098fcd77902264.php

Intelligence

File Origin
# of uploads :
1
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Trojan.PWS.Siggen2.55082.32183.2686.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Running batch commands
Creating a process with a hidden window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
DNS request
Connection attempt
Sending an HTTP POST request
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480079
Signature
Drops PE files to the startup folder
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Installs a global keyboard hook
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 292479 Sample: west_gCxd.exe Startdate: 02/10/2020 Architecture: WINDOWS Score: 100 39 nagano-19599.herokussl.com 2->39 41 g.msn.com 2->41 43 3 other IPs or domains 2->43 51 Multi AV Scanner detection for dropped file 2->51 53 Icon mismatch, binary includes an icon from a different legit application in order to fool users 2->53 55 Multi AV Scanner detection for submitted file 2->55 57 4 other signatures 2->57 8 west_gCxd.exe 4 2->8         started        12 chrome.exe 4 2->12         started        signatures3 process4 file5 37 C:\Users\user\AppData\...\west_gCxd.exe.log, ASCII 8->37 dropped 59 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->59 61 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->61 14 west_gCxd.exe 15 2 8->14         started        18 cmd.exe 3 8->18         started        21 west_gCxd.exe 8->21         started        23 chrome.exe 14 2 12->23         started        25 cmd.exe 1 12->25         started        27 chrome.exe 12->27         started        signatures6 process7 dnsIp8 45 amronntl.com 95.181.155.250, 49739, 49748, 49762 MSKHOSTRU Russian Federation 14->45 47 elb097307-934924932.us-east-1.elb.amazonaws.com 184.73.247.141, 443, 49760, 49761 AMAZON-AESUS United States 14->47 49 3 other IPs or domains 14->49 63 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->63 65 Tries to steal Mail credentials (via file access) 14->65 67 Tries to harvest and steal ftp login credentials 14->67 69 Tries to harvest and steal browser information (history, passwords, etc) 14->69 33 C:\Users\user\AppData\Roaming\...\chrome.exe, PE32 18->33 dropped 35 C:\Users\user\...\chrome.exe:Zone.Identifier, ASCII 18->35 dropped 71 Drops PE files to the startup folder 18->71 29 conhost.exe 18->29         started        73 Installs a global keyboard hook 23->73 31 conhost.exe 25->31         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-02 05:56:28 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=2vndx2rybgq2vtax7pj6jioabyy5gjxlclwqp2okeik475a2hpzq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
19b8d7da5a00f2ef97531fda2db336b31c19a73c482e8528c21730a8ff372786
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
5c00b91df3bffa9a2daed7828bef0d02d785d2656016683b85018162c2fb7f6b
AgentTesla
6301733be7a1058abac7988f9143ca5739c05e9a12a567d1ca2593f3b64f818f
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
787bbb324bff5c9623f81bcfb8eb548a5938a50323c594440bc46dacd52276a4
AgentTesla
8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90
AgentTesla
8dc9d32f21b231d0d1ed00ff04eae170eb680034e4079db1f6e17079ab5aa2f9
AgentTesla
c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1
AgentTesla
c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
AgentTesla
+ 247 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201002-p744t3dtqe/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3
MD5 hash:
737c40250e86476ada3c5ddc4984144b
SHA1 hash:
316282c1370c7f68a100e938c6b136d71c74cd6d
Link:
https://www.unpac.me/results/b0739a03-67ed-4e6f-9f4b-bd6be7e8a667/
SH256 hash:
e9e7275e1ba26c718f39221a9bf91c2b890ddbe6357b2098420d15fdab157b08
MD5 hash:
d630e33af4538cdbce12495946e5c9e4
SHA1 hash:
12249197c992cc4513b1a9dfd1742df6695b95ee
Link:
https://www.unpac.me/results/b0739a03-67ed-4e6f-9f4b-bd6be7e8a667/
SH256 hash:
0d9f48415946a94f8865ab8e1a777b07873815057789b6d5a69784f899e6e1be
MD5 hash:
2dd7ce63df098ec91dce6b439feed354
SHA1 hash:
5d336a9d94331e4fa2b42fb784d59c8931d92cc6
Link:
https://www.unpac.me/results/b0739a03-67ed-4e6f-9f4b-bd6be7e8a667/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 8a941467606e8dfdd35992b74fca710c29c5ff77d83b2af3b5a3804ed316e69c

AgentTesla

Executable exe d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3

(this sample)

  
Dropped by
MD5 543407d2b1765e4fea70d87a5481022a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/67689/
  
Dropped by
SHA256 8a941467606e8dfdd35992b74fca710c29c5ff77d83b2af3b5a3804ed316e69c

Comments