MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07
SHA3-384 hash: 4c99ce5765f051a018e062f7e4543afaf984c6fa592546bf438c04147b6f79a7e7acf34c6888bd3306940be053707357
SHA1 hash: d3e9536cbe68699c134823f4730e9a388b403b3b
MD5 hash: cd8b7c72ba0756f8e6477259d399b960
humanhash: shade-washington-march-jig
File name:Overdue Account.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'164'288 bytes
First seen:2020-09-28 13:32:46 UTC
Last seen:2020-09-28 14:46:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'639 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 24576:KyBLjP6+b1EyCGcZV/zerKsAEUVTa9hJz7H:rP1MT/SujEQTKD7H
Threatray 9'335 similar samples on MalwareBazaar
TLSH 1345E0DAAE449632C26D5FB840B1BE2E03FCDD43FE8292754537B44E887AA9D4E10DD1
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66427/
Detection(s):
SecuriteInfo.com.Trojan.Packed2.42595.26839.12096.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Forced shutdown of a system process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/476421
Signature
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290661 Sample: Overdue Account.exe Startdate: 28/09/2020 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Multi AV Scanner detection for dropped file 2->54 56 7 other signatures 2->56 7 Overdue Account.exe 4 2->7         started        11 WCPCe.exe 2 2->11         started        13 WCPCe.exe 1 2->13         started        process3 file4 32 C:\Users\user\AppData\...\jYbhQanutam.exe, PE32 7->32 dropped 34 C:\Users\user\AppData\Local\...\tmpBF49.tmp, XML 7->34 dropped 36 C:\Users\user\...\Overdue Account.exe.log, ASCII 7->36 dropped 58 Writes to foreign memory regions 7->58 60 Allocates memory in foreign processes 7->60 62 Injects a PE file into a foreign processes 7->62 15 RegSvcs.exe 2 4 7->15         started        20 schtasks.exe 1 7->20         started        22 conhost.exe 11->22         started        24 conhost.exe 13->24         started        signatures5 process6 dnsIp7 38 prcpl.com 173.254.75.123, 49722, 587 UNIFIEDLAYER-AS-1US United States 15->38 40 mail.prcpl.com 15->40 28 C:\Users\user\AppData\Roaming\...\WCPCe.exe, PE32 15->28 dropped 30 C:\Windows\System32\drivers\etc\hosts, ASCII 15->30 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 15->44 46 Tries to steal Mail credentials (via file access) 15->46 48 5 other signatures 15->48 26 conhost.exe 20->26         started        file8 signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07/
Threat name:
Win32.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-09-28 05:53:49 UTC
File Type:
PE (.Net Exe)
Extracted files:
34
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=4udtrpmguhlvhiwm6duiz7fil62ytbwoc3fz3n3z4pf3ixu2jqdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
01cd063d42c49b0612db611805a26403a9418e18f683321012809158bbd27742
AgentTesla
14f5a4291505c26453b17f8f81861a861b6af3c5d25447f409137220383dd14d
AgentTesla
3e8e7c9ebb8ae4bbb723e1974f176f8cb82ec0fb4e1890ee1f4feed08ae76058
AgentTesla
426ffa75739fe8c76f9b42c13944cbde5de6715394131f8e02fa83027de328f2
AgentTesla
68830a24fb818aea27e54e97f4dec890d751166eecb7c02ea3cb03c823e5fe65
AgentTesla
9029fc110d6ad30af1c140d2c7af2192b17c04986ba7bacebed72d58c84241a7
AgentTesla
b90e648ea2d913c493765798db8d443a355bcba18f973c5957e5f959ad794a60
AgentTesla
c9c89543724cc2517b6f7a873f9c33cc055c237829c65a268dbdf64a21b4dd95
AgentTesla
cd1330f16e6849546ee8b46e8a81ce9fe10a70c1377e2179e71151df6bd9379c
AgentTesla
ee923a4dd9e77a796c589b01ed52bfd3d5b72502e8307c9c362a2d9f6379d197
AgentTesla
+ 9'325 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla persistence
Link:
https://tria.ge/reports/200928-vlh1trhdzn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07
MD5 hash:
cd8b7c72ba0756f8e6477259d399b960
SHA1 hash:
d3e9536cbe68699c134823f4730e9a388b403b3b
Link:
https://www.unpac.me/results/42135af8-39b9-4930-b7cc-53cb89559d9a/
SH256 hash:
9eba19a2b6f8c05f09054365b104fcd207d3c8681e37e9aecd3ce411aefb076e
MD5 hash:
bd38725be9760ffef0a7ddd8434f24b6
SHA1 hash:
6e5c102e73f25c5908c051205e60469016b47860
Link:
https://www.unpac.me/results/42135af8-39b9-4930-b7cc-53cb89559d9a/
SH256 hash:
37c4aa946033f84334ef8fa13978759063e69f386651af3edcb7199da39c4223
MD5 hash:
1d5a1c18ab020a1c9747823ce05360bd
SHA1 hash:
cf604e1f4d71ed3836765aec96816cc86768fe2d
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/42135af8-39b9-4930-b7cc-53cb89559d9a/
Parent samples :
e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07
9d6e549d53c3215a63c433e0116f4101d6929c5b1f0f71da18f603481a5c6135
SH256 hash:
729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f
MD5 hash:
ac3f427e66b28b013b0b651c2f71d1e9
SHA1 hash:
ddf8b4b1d36aced75740632b41d30add06b5db3d
Link:
https://www.unpac.me/results/42135af8-39b9-4930-b7cc-53cb89559d9a/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Gamarue
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 0f7fbfe6bfd65c275278c0e4d96932a5dd15dac0c6b72ebbb99caa5f2b64f5f8

AgentTesla

Executable exe e50738bd86a1d753a2ccf0e88cfca85fb58986ce16cb9db779e3cbb45e9a4c07

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0f7fbfe6bfd65c275278c0e4d96932a5dd15dac0c6b72ebbb99caa5f2b64f5f8
Cape
Cape
https://www.capesandbox.com/analysis/66427/

Comments