MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
SHA3-384 hash: de26e2ba394425d0f0629337d79ca2e7d0ae30482e5e527cad27a270146a399dbe525c2a5dcfead14b6ba6debf6a210b
SHA1 hash: f24982828f7963afd44af1b6f2c4b83c9a546e1c
MD5 hash: 9c9f97be42dde00579d0150b28dfab7e
humanhash: juliet-nebraska-avocado-orange
File name:9c9f97be42dde00579d0150b28dfab7e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:735'232 bytes
First seen:2020-10-05 05:16:24 UTC
Last seen:2020-10-05 05:55:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d428173b181e83384eb653137e4f549 (4 x AgentTesla, 4 x Loki, 2 x HawkEye)
ssdeep 12288:v6LIdiPeP0pK+6kP/j2hEfPgqZkY4AJ0VSef9k2Kigm:v6rrc+6o+EAqqG0w2k4
Threatray 940 similar samples on MalwareBazaar
TLSH 93F48E23E2A0CC37C163163D9C0B5B7C9E36FDD02924998A6BF4DD4C9F396913A95287
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yussmed.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
108
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68037/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/480996
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 292938 Sample: pww42bUAyl.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected AgentTesla 2->27 29 Machine Learning detection for sample 2->29 6 newapp.exe 2->6         started        9 pww42bUAyl.exe 2->9         started        11 newapp.exe 2->11         started        process3 signatures4 31 Multi AV Scanner detection for dropped file 6->31 33 Detected unpacking (changes PE section rights) 6->33 35 Detected unpacking (creates a PE file in dynamic memory) 6->35 47 2 other signatures 6->47 13 newapp.exe 4 6->13         started        37 Detected unpacking (overwrites its own PE header) 9->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 9->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->41 43 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 9->43 16 pww42bUAyl.exe 2 7 9->16         started        45 Maps a DLL or memory area into another process 11->45 19 newapp.exe 4 11->19         started        process5 file6 49 Tries to harvest and steal browser information (history, passwords, etc) 13->49 21 C:\Users\user\AppData\Roaming\...\newapp.exe, PE32 16->21 dropped 23 C:\Users\user\...\newapp.exe:Zone.Identifier, ASCII 16->23 dropped 51 Tries to steal Mail credentials (via file access) 16->51 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 16->53 signatures7
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 03:13:36 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4j4em5ewdhpzjxjxhs54hit74rffpef2zeqk27bnr3itffxhcodq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10afc2fcb1ac4d85ac3076f260e008dccee9f1715fd56d1fa6180d504655275d
AgentTesla
1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241
AgentTesla
476ad07360e7dc543be24793d393a093a011090ba53b5aafb21069d177271e7d
AgentTesla
7200b362dfb336483d716fbbd84930894e5c8c28acd6a2ceff2b5da5cd3894fc
AgentTesla
8ceba0ecd94e885f32b2e9b68373691b43887e70f6bc903878fdb74551fc919d
AgentTesla
b3332f865f362bd89aaa305a8b8ec5d3e5b6ddae9e704b70a2d36723550415b0
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
d3cb1ca085e21ee6eb868bba3a93800df864f61de2bbfb6b00175dd978479906
AgentTesla
f684db86a351d46abae72b79e26a108b75365f2c4819818f0e353f94326042ea
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 930 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
upx persistence spyware
Link:
https://tria.ge/reports/201005-yy8hzxx83j/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
Unpacked files
SH256 hash:
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
MD5 hash:
9c9f97be42dde00579d0150b28dfab7e
SHA1 hash:
f24982828f7963afd44af1b6f2c4b83c9a546e1c
Link:
https://www.unpac.me/results/35cdafc3-c112-4f18-8f7a-5099be2953cb/
SH256 hash:
f54842980cba8deabaa9cb132049c69b436fa3e1fdf63a510ccee7f1eafbf2c8
MD5 hash:
4eb70431aceb01cfef345075ee6934ac
SHA1 hash:
bcb8a7c52ed7e1e7a0e96e883d6c389f4cec243c
Link:
https://www.unpac.me/results/35cdafc3-c112-4f18-8f7a-5099be2953cb/
SH256 hash:
75d876c6f5f63dde11338c00dc28ddc3472be9a5091154d4c0df20a0a4f91c81
MD5 hash:
58e38fad612f4aadfdde344cb38dc1d4
SHA1 hash:
7faf38b024b6b520f505ee1ae68e81292645fe12
Link:
https://www.unpac.me/results/35cdafc3-c112-4f18-8f7a-5099be2953cb/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Farheyt
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68037/

Comments