MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e41fbec10175660a9655724eef4cef7c29f281d337cf58a065ab18986f22d10f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence 9 File information Yara 4 Comments

SHA256 hash: e41fbec10175660a9655724eef4cef7c29f281d337cf58a065ab18986f22d10f
SHA3-384 hash: 7439cfd92363c51d018e22cdf704a710525abe606ceb215ab9ba5620e93601e5592617f9e261d5d894f05ac6a42e89ce
SHA1 hash: 427ddf0b931b336289db384796625ce9078de7c9
MD5 hash: 7da17cd56770b9ad6d63b46d158751fc
humanhash: nineteen-south-michigan-texas
File name:SecuriteInfo.com.Trojan.PWS.Siggen2.52529.9043.17402
Download: download sample
Signature AgentTesla
File size:417'792 bytes
First seen:2020-08-02 06:34:35 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 6144:wkknfzOwXQRbzJBIXQc+p6kFKesgRS48mU1CCX/jr6oRFR0YEfgeo3n0G6Fu:oERbVB+QvEyAce/7r6ui/K0Gmu
TLSH 9B94010073BC9763E5BA8BF94D702414133BB93E71A2E38C1DA661EF28B67504695F93
Reporter @SecuriteInfoCom
Tags:AgentTesla

Intelligence


File Origin
# of uploads :
1
# of downloads :
40
Origin country :
US US
Mail intelligence
No data
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
Binary contains a suspicious time stamp
Contains functionality to register a low level keyboard hook
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 signatures2 2 Behavior Graph ID: 255780 Sample: SecuriteInfo.com.Trojan.PWS... Startdate: 02/08/2020 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->47 49 Found malware configuration 2->49 51 Yara detected AgentTesla 2->51 53 2 other signatures 2->53 6 SecuriteInfo.com.Trojan.PWS.Siggen2.52529.9043.exe 3 2->6         started        10 max.exe 3 2->10         started        12 max.exe 2 2->12         started        process3 file4 25 SecuriteInfo.com.T....52529.9043.exe.log, ASCII 6->25 dropped 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 6->57 59 Contains functionality to register a low level keyboard hook 6->59 14 SecuriteInfo.com.Trojan.PWS.Siggen2.52529.9043.exe 2 5 6->14         started        61 Machine Learning detection for dropped file 10->61 63 Injects a PE file into a foreign processes 10->63 19 max.exe 2 10->19         started        21 max.exe 10->21         started        23 max.exe 12->23         started        signatures5 process6 dnsIp7 31 bh-58.webhostbox.net 199.79.63.24, 49743, 49756, 587 PUBLIC-DOMAIN-REGISTRYUS United States 14->31 33 192.168.2.1 unknown unknown 14->33 27 C:\Users\user\AppData\Local\Temp\...\max.exe, PE32 14->27 dropped 29 C:\Users\user\...\max.exe:Zone.Identifier, ASCII 14->29 dropped 35 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->35 37 Installs a global keyboard hook 14->37 39 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->39 41 Tries to steal Mail credentials (via file access) 19->41 43 Tries to harvest and steal ftp login credentials 19->43 45 Tries to harvest and steal browser information (history, passwords, etc) 19->45 file8 signatures9
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Status:
Malicious
First seen:
2020-07-14 22:44:18 UTC
AV detection:
25 of 31 (80.65%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
AgentTesla Payload
AgentTesla

Yara Signatures


Rule name:Agenttesla_type2
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e41fbec10175660a9655724eef4cef7c29f281d337cf58a065ab18986f22d10f

(this sample)

  
Delivery method
Distributed via web download

Comments