MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b
SHA3-384 hash: 31d7ebe26fcb443bf5082062868200e0f4b897692a64ac4e676562245cfb513a5506aec809f50061563cbf209bbc1d2e
SHA1 hash: 178dc356191ebca6bf294525183212ac2e5a0bd8
MD5 hash: f855dffcbd21d4e4a59eed5a7a392af9
humanhash: oxygen-eleven-berlin-kentucky
File name:Moist.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:834'048 bytes
First seen:2020-09-20 13:36:11 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger)
ssdeep 12288:A9NBnRq7LI2iG1HFdZDic2hSgMvUSxs103cFXx+9ojgt7HW4vRACnx2yC3UUINN:ADc1GcSMvnc0M/+KjEjRbC3UUIn
Threatray 5 similar samples on MalwareBazaar
TLSH C805018577E5CA63F0651B3604E787152B78BEA2FB13C31766C0B0762C473D86E1E26A
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
119
Origin country :
n/a
Vendor Threat Intelligence
Detection:
Plugx
Create hunting rule
Link:
https://www.capesandbox.com/analysis/63899/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Creating a process from a recently created file
Launching a process
Using the Windows Management Instrumentation requests
DNS request
Sending a custom TCP request
Creating a file in the %temp% directory
Deleting a recently created file
Replacing files
Reading critical registry keys
Creating a file
Running batch commands
Enabling the 'hidden' option for recently created files
Unauthorized injection to a recently created process
Forced shutdown of a system process
Stealing user critical data
Unauthorized injection to a system process
Result
Threat name:
Unknown
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470866
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to steal Mail credentials (via file access)
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 287866 Sample: Moist.exe Startdate: 20/09/2020 Architecture: WINDOWS Score: 100 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 .NET source code contains potential unpacker 2->46 48 5 other signatures 2->48 8 Moist.exe 5 2->8         started        12 Chrome updater.exe 3 2->12         started        process3 file4 34 C:\Users\user\AppData\Roaming\...\Clipper.exe, PE32 8->34 dropped 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->50 52 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 8->52 54 Queries memory information (via WMI often done to detect virtual machines) 8->54 14 Clipper.exe 2 8->14         started        17 Moist.exe 15 36 8->17         started        signatures5 process6 dnsIp7 56 Multi AV Scanner detection for dropped file 14->56 58 Machine Learning detection for dropped file 14->58 60 Drops PE files to the startup folder 14->60 21 Clipper.exe 1 14->21         started        36 ip-api.com 208.95.112.1, 49743, 80 TUT-ASUS United States 17->36 38 moist.company 185.178.208.149, 443, 49748 DDOS-GUARDRU Russian Federation 17->38 40 3 other IPs or domains 17->40 30 C:\Users\user\AppData\Local\...\Moist.exe.log, ASCII 17->30 dropped 62 Tries to steal Mail credentials (via file access) 17->62 24 cmd.exe 17->24         started        file8 signatures9 process10 file11 32 C:\Users\user\AppData\...\Chrome updater.exe, PE32 21->32 dropped 26 conhost.exe 24->26         started        28 timeout.exe 24->28         started        process12
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-09-20 13:35:42 UTC
File Type:
PE (.Net Exe)
Extracted files:
5
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
59b230d608d121a6969fa2eab41b020c57f99328319ebd92ef00cb4081562589
AgentTesla
618f4050d767d0c8f835ec3fa9e46b85b9291062a2e381122852238fa84c95f7
AgentTesla
7052536e8f3b3224cdc9edc70a1a7f3a26ad0fc9c620c80eb91f9168ce81ad0c
AgentTesla
733036ae8101048351d1cf684fe1bc02c1cf7a70725a470bec7cbd59a602738b
AgentTesla
b2f041348835c102db3769245ee4c28dd00cb19c3c6710fc9c11228f3bbce61b
AgentTesla
Result
Malware family:
echelon
Create hunting rule
Score:
  10/10
Tags:
spyware stealer family:echelon
Link:
https://tria.ge/reports/200920-kmqkn73m3x/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Accesses cryptocurrency wallets, possible credential harvesting
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Executes dropped EXE
Echelon
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e44277fe9e90ba3107391676ad548812f33749da46db34ea877b1d6cdfb48d1b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/63899/

Comments