MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e057f177dbb47cdb739ca5300812914d10c60ef522607819b91201079ffa643d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e057f177dbb47cdb739ca5300812914d10c60ef522607819b91201079ffa643d
SHA3-384 hash: 49534396181be3f290242f1dc8a6eb9ac94362a7e43f3cd264802c678c3126ecd259b5f944ed7feb56dcbd381f627387
SHA1 hash: 6ba1cb441b1ee8ed453d7ae675c68d9293d2a004
MD5 hash: 6b9d85632efc9472792a1ae89a561857
humanhash: wolfram-romeo-autumn-monkey
File name:Drawing No 2000168004_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:14'704 bytes
First seen:2021-02-24 07:04:53 UTC
Last seen:2021-02-24 09:04:11 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 192:SCrUGP++9Iv6bUB3TCDHL6ejVVj5W97jtWaIpopOovwpqBZHkBp:Jr26ba3TCL2ejVVj5C7jtWaDPhI
Threatray 11'067 similar samples on MalwareBazaar
TLSH 516229269E771C41F43B95342AE2DB5995F06BF16B11CA37288C80951A63B80E7DCF3D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: labitconf.com
Sending IP: 103.99.1.140
From: info@labitconf.com
Reply-To: jamesadny@hotmail.com
Subject: RFQ No 2000168004 for FIRM
Attachment: Drawing No 2000168004_pdf.gz (contains "Drawing No 2000168004_pdf.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Drawing No 2000168004_pdf.exe
Verdict:
Malicious activity
Analysis date:
2021-02-24 07:27:03 UTC
Tags:
trojan keylogger stealer agenttesla
Link:
https://app.any.run/tasks/5c958b30-c51c-4ff8-891f-e72bb20b63a9

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/118869/
Detection(s):
SecuriteInfo.com.Trojan.DownLoader36.46209.29923.8416.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling the 'hidden' option for recently created files
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Sending an HTTP GET request to an infection source
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/616216
Signature
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 357112 Sample: Drawing No 2000168004_pdf.exe Startdate: 24/02/2021 Architecture: WINDOWS Score: 100 72 Multi AV Scanner detection for domain / URL 2->72 74 Found malware configuration 2->74 76 Multi AV Scanner detection for submitted file 2->76 78 7 other signatures 2->78 7 NewApp.exe 14 3 2->7         started        11 Drawing No 2000168004_pdf.exe 15 3 2->11         started        13 NewApp.exe 2->13         started        process3 dnsIp4 52 104.21.71.230, 49760, 49764, 80 CLOUDFLARENETUS United States 7->52 80 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->82 84 Hides threads from debuggers 7->84 15 NewApp.exe 7->15         started        19 cmd.exe 7->19         started        21 WerFault.exe 7->21         started        23 NewApp.exe 7->23         started        54 coroloboxorozor.com 172.67.172.17, 49735, 80 CLOUDFLARENETUS United States 11->54 86 Injects a PE file into a foreign processes 11->86 25 Drawing No 2000168004_pdf.exe 2 9 11->25         started        28 cmd.exe 1 11->28         started        34 3 other processes 11->34 30 cmd.exe 13->30         started        32 NewApp.exe 13->32         started        signatures5 process6 dnsIp7 60 Tries to harvest and steal ftp login credentials 15->60 62 Tries to harvest and steal browser information (history, passwords, etc) 15->62 36 conhost.exe 19->36         started        38 timeout.exe 19->38         started        56 192.168.2.1 unknown unknown 21->56 58 mail.soonlogistics.com 103.17.211.69, 49765, 49768, 49773 IPSERVERONE-AS-APIPServerOneSolutionsSdnBhdMY Malaysia 25->58 48 C:\Users\user\AppData\Roaming\...48ewApp.exe, PE32 25->48 dropped 50 C:\Users\user\...50ewApp.exe:Zone.Identifier, ASCII 25->50 dropped 64 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 25->64 66 Tries to steal Mail credentials (via file access) 25->66 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->68 70 Installs a global keyboard hook 25->70 40 conhost.exe 28->40         started        42 timeout.exe 1 28->42         started        44 conhost.exe 30->44         started        46 timeout.exe 30->46         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e057f177dbb47cdb739ca5300812914d10c60ef522607819b91201079ffa643d/
Threat name:
ByteCode-MSIL.Downloader.BaseLoader
Create hunting rule
Status:
Malicious
First seen:
2021-02-24 02:59:27 UTC
AV detection:
3 of 48 (6.25%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=4bl7c563wr6nw444uuyaqeurjuimmdxvejqhqgnzciaqph72mq6q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
09e757213c16dcbf36424c974ffb22e19e8204ee9eda994211669d586454a347
AgentTesla
1aa7a26dc92fbd8b4bb9ddd986a7160525ed218434d15d7bfc13e8b4dc5a7275
AgentTesla
26e7e2592001dcae03d24805daf839378a61263b2aab7a6d7db204088833f946
AgentTesla
6d0109dbceff8f7a96076cb6d274e44df655597e7fb090a21ec2866352c1e640
AgentTesla
a56a122e4d9fc51551a7c7ea70458c0938fbd4620268ed1d14b393e1e68325de
AgentTesla
b37d450b7d60fd2497ae794e9835b999339549406b1a05d92bb46a9f1a23eb12
AgentTesla
b707eb402e6b80cd3a7e527cd8b57cbb639909d8376e60e14a19b5e72fa57cf0
AgentTesla
d17f81844d81aab1740d9fc2992ae741df0636cd8eee2be31caa84a480e561ab
AgentTesla
ee9ee2abef95ddfdcad61d9314b9fec9deb37695427b57b85248ff3adfa8fdeb
AgentTesla
fcdececb42372d5ae1a1a1d367046476f916624878980498984983f00add62ad
AgentTesla
+ 11'057 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210224-7xetxchxhe/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e057f177dbb47cdb739ca5300812914d10c60ef522607819b91201079ffa643d
MD5 hash:
6b9d85632efc9472792a1ae89a561857
SHA1 hash:
6ba1cb441b1ee8ed453d7ae675c68d9293d2a004
Link:
https://www.unpac.me/results/50b34639-fb13-4787-9843-5854b98acb2c/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 9e4851dc715de10390dbed4d4290bf93d496ccb68515f61d347c54e630cb2490

AgentTesla

Executable exe e057f177dbb47cdb739ca5300812914d10c60ef522607819b91201079ffa643d

(this sample)

  
Dropped by
MD5 56d77ab990852b950b277ecd4704a46f
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 9e4851dc715de10390dbed4d4290bf93d496ccb68515f61d347c54e630cb2490
Cape
Cape
https://www.capesandbox.com/analysis/118869/

Comments