MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e4b90ead6d3a8882fd16860758acdb01866faa4776bcf2619421d6a45d556e7a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e4b90ead6d3a8882fd16860758acdb01866faa4776bcf2619421d6a45d556e7a
SHA3-384 hash: 52734f693774733ba4c35333ab9f74913ee40c9f0815b4788d16687ea1c58b219a108078fdb7fb8a6d8194e7c23c44a0
SHA1 hash: 185b21ad9c0e675649aa108502ebed77038676e4
MD5 hash: 03a77b572ec125b5e9d96cba49c7a449
humanhash: oklahoma-fillet-high-tennessee
File name:QIHi0wWoysDeVel.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:893'440 bytes
First seen:2020-07-20 11:37:55 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:/pakmKLFQ1q9I6/kldSCGDyM0UN89N63CK8qJ3+J7od+ik4g8y3SoDmrk7q:/pazKWOPWM0cmxq+RrEloDmc
Threatray 10'607 similar samples on MalwareBazaar
TLSH 8815E0C93A40940EC59E1EBA5E51CD70C370A942F2F3E34767C66EDE297E39BC905292
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: srv2.datawire.gr
Sending IP: 88.208.220.16
From: Örn Guðmundsson <orn@fastus.is>
Reply-To: orn.fastus.is@gmail.com
Subject: Enquiry List
Attachment: Enquirylist.img (contains "QIHi0wWoysDeVel.exe")

AgentTesla SMTP exfil server:
mail.dipromedicos.com:587

AgentTesla SMTP exfil email address:
sales@fastuss.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/29027/
Detection(s):
SecuriteInfo.com.CIL.HeapOverride.Heur.7276.UNOFFICIAL
Create hunting rule

Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/391489
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 248130 Sample: QIHi0wWoysDeVel.exe Startdate: 21/07/2020 Architecture: WINDOWS Score: 100 37 Found malware configuration 2->37 39 Antivirus / Scanner detection for submitted sample 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 2 other signatures 2->43 6 IpMrV.exe 1 2->6         started        9 QIHi0wWoysDeVel.exe 1 2->9         started        12 IpMrV.exe 2->12         started        process3 file4 45 Antivirus detection for dropped file 6->45 47 Multi AV Scanner detection for dropped file 6->47 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 6->49 51 Machine Learning detection for dropped file 6->51 14 IpMrV.exe 2 6->14         started        29 C:\Users\user\...\QIHi0wWoysDeVel.exe.log, ASCII 9->29 dropped 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 9->53 55 Contains functionality to register a low level keyboard hook 9->55 18 QIHi0wWoysDeVel.exe 1 5 9->18         started        21 QIHi0wWoysDeVel.exe 9->21         started        57 Injects a PE file into a foreign processes 12->57 23 IpMrV.exe 2 12->23         started        signatures5 process6 dnsIp7 31 mail.dipromedicos.com 14->31 59 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->59 61 Tries to steal Mail credentials (via file access) 14->61 63 Tries to harvest and steal ftp login credentials 14->63 65 Tries to harvest and steal browser information (history, passwords, etc) 14->65 33 dipromedicos.com 192.99.85.152, 49716, 49717, 587 OVHFR Canada 18->33 35 mail.dipromedicos.com 18->35 25 C:\Users\user\AppData\Roaming\...\IpMrV.exe, PE32 18->25 dropped 27 C:\Users\user\...\IpMrV.exe:Zone.Identifier, ASCII 18->27 dropped 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->67 69 Installs a global keyboard hook 18->69 file8 signatures9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e4b90ead6d3a8882fd16860758acdb01866faa4776bcf2619421d6a45d556e7a/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-07-20 11:16:28 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4s4q5llnhkeif7iwqydvrlg3agdg7ksho26peymuehlkixkvnz5a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
294cf2895407982e76f245557284a2c6eec761afd0d00d79dd30564a87a9bac0
AgentTesla
5568021e42a81a2755fd6d968efa50b13f99a9997d8973097231079de84832ad
AgentTesla
70e55061f4e965a512c042bc1541f3d4e5a910a493ffb63d5a123f9c82a94f70
AgentTesla
70e99108b5577011f7484785487d9cb5149dd1070138fa121407658053322cdd
AgentTesla
7e393bcd518415ad70e7a6924c8798391400554fce9c2a639a891dcda4f8e230
AgentTesla
916af86a5bfa7f558b376344b9aaf6e4440d21f2b38da0bb9fd60b1d4a578809
AgentTesla
adbdc4cbb6b8805700fcfd618e763872f6960f5989a62c9cdffc961d9b0f3e39
AgentTesla
af7aa3b76b8d11ba1d518006e2b4ea6d574573bd2bba6594a57825e33f9ed87c
AgentTesla
b762913bb02e0e7f3b2dd7be4b813923fbb0389e699d2b6f846bfecad6c8c72a
AgentTesla
b81898c8e22774e33768ab962a3acca0c718197c2b4434f3ae51761569bd7ccb
AgentTesla
+ 10'597 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla persistence
Link:
https://tria.ge/reports/200720-sj7dr4ancs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Unknown
Score:
0.87
Link:
https://yomi.yoroi.company/submissions/e4b90ead6d3a8882fd16860758acdb01866faa4776bcf2619421d6a45d556e7a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 08c58c4100dac7c47ef653298e3c0a905411f1ddb97287ed6a53720edd8ca4df

AgentTesla

Executable exe e4b90ead6d3a8882fd16860758acdb01866faa4776bcf2619421d6a45d556e7a

(this sample)

  
Dropped by
MD5 7106c40af0c6b0932bde7893803d1b6d
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/29027/
  
Dropped by
SHA256 08c58c4100dac7c47ef653298e3c0a905411f1ddb97287ed6a53720edd8ca4df

Comments