MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 dfc591ce4559101d5c59cf6cc2773496733b1fac5a058529bb093a56298dc8e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: dfc591ce4559101d5c59cf6cc2773496733b1fac5a058529bb093a56298dc8e6
SHA3-384 hash: 90cd3a9aa246e0aa7bb093806505c071d4fa55d93a07e74d18f2ffbcbb8bb5cbe7a6de4780c76e1c093e431f83715f04
SHA1 hash: 265b4235fd87005e116af5bc72b260746f05588c
MD5 hash: 2d7551924847f997048c1b01e22505e3
humanhash: glucose-pluto-arizona-glucose
File name:Work Specifications.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:725'504 bytes
First seen:2020-08-03 14:01:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'454 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:qMklRrXDQpyOefdqsNkwJF7vFU45gFmWBGeSahrU2tZ/nMq/ljtCnL4DMO7kVUy/:pkvrX0pL1Ak0JKd+ahIQ1jtCL4Q3Gw0
Threatray 1'187 similar samples on MalwareBazaar
TLSH F6F4CE5C7BA0851AF15A1FBE9D3661039D34F80BA927F38F29F5516C487A38C9C42F92
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: sibylinecornt.com
Sending IP: 95.211.208.58
From: SIBYLLINE TRADING & CONTRACTING W.L.L. <info@sibylinecornt.com>
Reply-To: engineering.stc@sibylinecornt.com
Subject: RFQ Service Road and Boundary Fencing Work / Metal work
Attachment: Work Specifications.rar (contains "Work Specifications.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
78
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/37933/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/408094
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 256293 Sample: Work Specifications.exe Startdate: 03/08/2020 Architecture: WINDOWS Score: 100 30 cdn.onenote.net 2->30 32 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->32 46 Found malware configuration 2->46 48 Sigma detected: Capture Wi-Fi password 2->48 50 Yara detected AgentTesla 2->50 52 4 other signatures 2->52 9 Work Specifications.exe 3 2->9         started        11 LKUgjc.exe 2 2->11         started        13 LKUgjc.exe 1 2->13         started        signatures3 process4 process5 15 RegSvcs.exe 2 4 9->15         started        20 conhost.exe 11->20         started        22 conhost.exe 13->22         started        dnsIp6 34 smtp.yandex.ru 77.88.21.158, 49740, 587 YANDEXRU Russian Federation 15->34 36 smtp.yandex.com 15->36 28 C:\Users\user\AppData\Roaming\...\LKUgjc.exe, PE32 15->28 dropped 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->38 40 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->40 42 Tries to steal Mail credentials (via file access) 15->42 44 5 other signatures 15->44 24 netsh.exe 3 15->24         started        file7 signatures8 process9 process10 26 conhost.exe 24->26         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/dfc591ce4559101d5c59cf6cc2773496733b1fac5a058529bb093a56298dc8e6/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-08-03 14:03:12 UTC
AV detection:
21 of 28 (75.00%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=37czdtsfleib2xczz5wme5zuszztwh5mlicykkn3be5fmkmnzdta._file
Verdict:
malicious
Similar samples:
51f3a9f7ba793e867b3738a3f2707d11d3d839a099a70d6bb02c6b6aa68de4c8
AgentTesla
5312fab3ad83a00863c90baec3bbe7f1265cc6d94398b364f2cd7c11369af074
AgentTesla
5e57e98ff9180e08404e1ddaf29e274ab4df1149b2cbfbdf3422ae460afbafac
AgentTesla
6cb4b1c8e7a9db252978470e2971438bc9cb1e4036c6dfdeec7229af1f7d56b8
AgentTesla
6eb10ca3e8026756f417b8e04510f768c28175817c73be8f21514dfb186d687f
AgentTesla
9aacf7241d4ac98976ece20663fe83d6b5f13bfe98b597ae02ed5d39614b9c16
AgentTesla
e5c5c9d753512a626d7bc4e6a14191b3db75290da5046b7d4d5fd4acc2ed3460
AgentTesla
e90113ece868954185441f939e93cab4f887465291e620753b411d043131b793
AgentTesla
ef47e6b46e818e6f3110202391cca1ba74b312d9e2d11dd66e62b59c60b49cda
AgentTesla
efb0614d2ed991a28fb923ed15a74ecf24bbaea76e767f16213c752962c103df
AgentTesla
+ 1'177 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer persistence spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200803-xx9mfttsnx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Modifies service
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.45
Link:
https://yomi.yoroi.company/submissions/dfc591ce4559101d5c59cf6cc2773496733b1fac5a058529bb093a56298dc8e6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 3603db80c35f018259f86d54709e08d952495fe4411922bb4c9b2ae5e1762f15

AgentTesla

Executable exe dfc591ce4559101d5c59cf6cc2773496733b1fac5a058529bb093a56298dc8e6

(this sample)

  
Dropped by
MD5 01324c13cd5c7e9878f53055baa2b29a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/37933/
  
Dropped by
SHA256 3603db80c35f018259f86d54709e08d952495fe4411922bb4c9b2ae5e1762f15

Comments