MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e14485ceea75d472b156c60312308d431fbd7bf1fbc0b4994fb47c05b79c6ddf. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	e14485ceea75d472b156c60312308d431fbd7bf1fbc0b4994fb47c05b79c6ddf
SHA3-384 hash:	edcef492079b44a43e675d7286f3ac847943717a9bc4bd4c797492bef86c157ea631559e517858c35d087353d0263a89
SHA1 hash:	763126799a6944422bec5285a783ba69008f700b
MD5 hash:	9704fb19bf08b5ca543cd779827cd706
humanhash:	sweet-solar-emma-bulldog
File name:	RFQ-PRO NO. SER-M 212 21420.xls__.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	754'688 bytes
First seen:	2020-09-02 06:14:36 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep	6144:xBPYE9q5KGZ3ItBqMx47sn2dt/jgR8KXnXMnPO2k9n:ME9qIGZ3UB7JYU3cRkx
Threatray	29 similar samples on MalwareBazaar
TLSH	A5F4D566278D5495F03D3371146CB5E03230AE462E0CE61F35D61BCE6EC69DB7B828BA
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

From: Yanis Kolios <inquiry@507.drxvivo.ml>
Subject: RFQ-PRO NO. SER-M 212 & 214/20
Attachment: RFQ-PRO NO. SER-M 212 21420.xls__.gz (contains "RFQ-PRO NO. SER-M 212 21420.xls__.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/54195/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %temp% directory

Creating a process from a recently created file

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a recently created process

Unauthorized injection to a recently created process by context flags manipulation

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/457183

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/e14485ceea75d472b156c60312308d431fbd7bf1fbc0b4994fb47c05b79c6ddf/

Threat name:

ByteCode-MSIL.Spyware.Negasteal

Status:

Malicious

First seen:

2020-09-02 05:31:28 UTC

AV detection:

22 of 29 (75.86%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=4fciltxkoxkhfmkwyybremenimp3267r7paljgkpwr6aln44nxpq._file

Verdict:

unknown

AgentTesla

159921268e1634b4695fdeb118786e1d8b3607e775ec42913beeae5f497d0011

AgentTesla

1ede91e067622d1f60365bd4fb7345b7be7958d95d76361238869b39b6cc62cd

AgentTesla

221c96dcf9d3f774e6d79c3db0c56885381f2134f381cb471f08c75072adba26

AgentTesla

4b957c9c068b3545eeebdafc11543b47228daf7e5bfa9500cf5660c1236a8184

AgentTesla

72401bf3b38c9ea0fafb14afa9fd35484add4163752be1f7243a9e7d6fa3c7af

AgentTesla

8ab140bb28604e13079fa3aa37f12f521a7ab3619b979e0ca505a337a544431b

AgentTesla

acf68538ba67b523ff52999cc40e2ef3383c53b5b5fe53c634cf7c52f5c9dbe3

AgentTesla

af403c116c3b92f0d3d363f85a7d70e97abcffbe2278651471dfe0e1a46a1945

AgentTesla

fbab77a9399461b71d65d586ad2aac134941f7fac37e5e607822749a627b3937

AgentTesla

+ 19 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer family:agenttesla

Link:

https://tria.ge/reports/200902-rvqfy5nfvx/

Behaviour

AgentTesla Payload

Agenttesla family

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/e14485ceea75d472b156c60312308d431fbd7bf1fbc0b4994fb47c05b79c6ddf

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar