MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 13 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713
SHA3-384 hash: 919c83667399b8a30eaed45753f5c56aea72cefc9f039a809ac88e8c65c6d5151018461e34eee50e5241ceb4544e9939
SHA1 hash: d3dcae16fec3a9c048abc3cefe369cbb5f79769e
MD5 hash: 230c5d72b8bfd4d14b4f9e55d2633345
humanhash: nevada-pennsylvania-music-undress
File name:230c5d72b8bfd4d14b4f9e55d2633345.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'525'760 bytes
First seen:2020-10-19 08:42:59 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'207 x SnakeKeylogger)
ssdeep 24576:dToJzNxwxElJdAUqoYzC3uaOHOCLkEkuf2eYtHD4BzHF/M72LZ2vvnHkGct4Y3F5:ZoJr/dAj7zJ1HrLkEDfQtj4BzHFkaZ28
Threatray 18 similar samples on MalwareBazaar
TLSH 8E65234AABF0CAF6D7BE567F20739010B3B895815653F73A768EB5641C26BB0CC409D8
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.Variant.MSILPerseus.236638.25315.13894.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% directory
Launching a process
Creating a file in the %AppData% subdirectories
Creating a file
Creating a process with a hidden window
DNS request
Sending a custom TCP request
Deleting a recently created file
Running batch commands
Using the Windows Management Instrumentation requests
Creating a file in the Windows subdirectories
Reading critical registry keys
Launching the process to change network settings
Sending an HTTP GET request
Launching the default Windows debugger (dwwin.exe)
Delayed writing of the file
Changing the Windows explorer settings
Blocking a possibility to launch for the Windows registry editor (regedit.exe)
Changing the Windows explorer settings to hide files extension
Blocking a possibility to launch for the Windows Task Manager (taskmgr)
Stealing user critical data
Enabling autorun by creating a file
Unauthorized injection to a system process
Enabling a "Do not show hidden files" option
Result
Threat name:
Osno
Create hunting rule
Detection:
malicious
Classification:
rans.troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/495108
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to hide user accounts
Disables the Windows registry editor (regedit)
Disables the Windows task manager (taskmgr)
Drops PE files to the startup folder
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines)
Sigma detected: Capture Wi-Fi password
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal WLAN passwords
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected AntiVM_3
Yara detected Osno Ransomware
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 300013 Sample: Pvw4F3qviK.exe Startdate: 19/10/2020 Architecture: WINDOWS Score: 100 93 Malicious sample detected (through community Yara rule) 2->93 95 Antivirus detection for dropped file 2->95 97 Sigma detected: Capture Wi-Fi password 2->97 99 14 other signatures 2->99 9 Pvw4F3qviK.exe 9 2->9         started        13 Chrome updaters.exe 2->13         started        process3 file4 61 C:\Users\user\AppData\...\Chrome updaters.exe, PE32 9->61 dropped 63 C:\...\Chrome updaters.exe:Zone.Identifier, ASCII 9->63 dropped 65 C:\Users\user\AppData\...\Pvw4F3qviK.exe.log, ASCII 9->65 dropped 107 Drops PE files to the startup folder 9->107 109 Writes to foreign memory regions 9->109 111 Injects a PE file into a foreign processes 9->111 15 MSBuild.exe 19 25 9->15         started        67 C:\Users\user\AppData\Local\...\r77-x64.dll, PE32+ 13->67 dropped 69 C:\Users\user\AppData\Local\...\r77-x86.dll, PE32 13->69 dropped 19 MSBuild.exe 13->19         started        signatures5 process6 dnsIp7 71 201.75.14.0.in-addr.arpa 15->71 73 ip-api.com 208.95.112.1, 49736, 49744, 80 TUT-ASUS United States 15->73 79 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 15->79 81 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 15->81 83 Changes the view of files in windows explorer (hidden files and folders) 15->83 91 2 other signatures 15->91 21 cmd.exe 15->21         started        24 cmd.exe 15->24         started        26 powershell.exe 25 15->26         started        28 2 other processes 15->28 75 201.75.14.0.in-addr.arpa 19->75 77 192.168.2.1 unknown unknown 19->77 85 Tries to harvest and steal browser information (history, passwords, etc) 19->85 87 Adds a directory exclusion to Windows Defender 19->87 89 Tries to harvest and steal WLAN passwords 19->89 signatures8 process9 signatures10 101 Queries sensitive Plug and Play Device Information (via WMI, Win32_PnPEntity, often done to detect virtual machines) 21->101 103 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 21->103 105 Tries to harvest and steal WLAN passwords 21->105 30 cmd.exe 21->30         started        33 cmd.exe 21->33         started        35 powershell.exe 21->35         started        45 5 other processes 21->45 37 conhost.exe 24->37         started        39 tasklist.exe 24->39         started        41 conhost.exe 26->41         started        43 conhost.exe 28->43         started        process11 signatures12 113 Tries to harvest and steal WLAN passwords 30->113 47 conhost.exe 30->47         started        49 chcp.com 30->49         started        51 netsh.exe 30->51         started        53 conhost.exe 33->53         started        55 tasklist.exe 33->55         started        57 conhost.exe 35->57         started        59 conhost.exe 45->59         started        process13
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713/
Threat name:
ByteCode-MSIL.Trojan.Perseus
Create hunting rule
Status:
Malicious
First seen:
2020-10-19 02:34:58 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=44ozo7e3vthhe4w2ov4b5tzr5pzj4sz64e6orosxa4kcdisfo4jq._file
Verdict:
suspicious
Similar samples:
0437a3b7c497908d0dc489a1b21cf395b76eedae8f1a1b473ecbb5f02e892bf9
AgentTesla
080f9972ebfb306946e213424ef0970affd55dc8625bb4a2f3d3e38d2a6e2d72
AgentTesla
10b2e74fdeacd4b00b7687eca2f1bfe0c30901561453ae6c1b9549406b29615e
AgentTesla
3bb9f55514122071824320091030f517a2809c140d86791275037569b26f53f1
AgentTesla
5073dae4db5d373083392acc876b2cee4a9c0a06001be580dd5fbca8f6124f68
AgentTesla
88862ca221d9e5f6c871c460a53a0f90ceebaa5a20d8c45b8ec6a9413592f38d
AgentTesla
c1e6c2059e61bc54c31696c04fca0b366fdd9d0ac84d7db2ad545ddf2b4b18f0
AgentTesla
c8c3bc6c01dee147be04e3fbaeb5ff72fbee21e676ba04b7326738e692cec9d0
AgentTesla
ccdf6799e7fceaa24cdaaf41ba79fdafaf04a2a8e64dd9bf40cf3ddce9345adf
AgentTesla
f902d33ba5996db886cd1f33e62759cd13605c1c825e3214032f92c4fed730b8
AgentTesla
+ 8 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer evasion spyware persistence trojan family:agenttesla
Link:
https://tria.ge/reports/201019-jkqw9sprts/
Behaviour
Enumerates processes with tasklist
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies service
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads user/profile data of web browsers
Disables Task Manager via registry modification
AgentTesla Payload
AgentTesla
Modifies visibility of file extensions in Explorer
Unpacked files
SH256 hash:
87838a21bddb1be4263e405066b8c2c68fc1d2e3a4b166dd03d04f8e2ffc7db6
MD5 hash:
68a1bdd95124ae49e4f07014843efe1e
SHA1 hash:
db033056ee5760d84c6474d42ef40522df406e2b
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
SH256 hash:
173f74176d13c235d744f9e32d658f6301a6b1aa81a014060ba763b55e516fe3
MD5 hash:
4a35aaf2d4ab47f5ea6f75d2de75c831
SHA1 hash:
007676d2097defe7f793f9fb1ffe2f48c0c94ac0
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
SH256 hash:
331a9615e5292613405635d542cd8c323b17f1ae3da50e010f87bd7a6384b755
MD5 hash:
9b0794dacd0344fc869d7e1dceca0dfe
SHA1 hash:
29a9ef9595f8f9cbeeeface4c53d3c6e48b9d734
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
SH256 hash:
3b39bf2024cb62e287033f409848806fb2e035fedafca757a63ca44a09b02657
MD5 hash:
59685df1ca691dedb800e5fffa9fd086
SHA1 hash:
7fb2467548cc06cd29d90af6dd5c6adf0b56aca0
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
SH256 hash:
e3f9ac02690808ee8e82aeb07cb5c2a5bea0ec6b704f12749e6e1de14b996b55
MD5 hash:
80a1256052a8c22d8417f99945170b82
SHA1 hash:
d9a167b2a7e3611717b00a037686203935900297
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
SH256 hash:
ea6ab29f0fff7c547289652df2ab4b36898f84175f78d01dae8f1d76b29f3f4d
MD5 hash:
1959fa25317b49f5a313c7e1b3c70467
SHA1 hash:
faa5eef48cff4f867b7ed19d2a942ff99fffa04c
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
SH256 hash:
e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713
MD5 hash:
230c5d72b8bfd4d14b4f9e55d2633345
SHA1 hash:
d3dcae16fec3a9c048abc3cefe369cbb5f79769e
Link:
https://www.unpac.me/results/81d48f1f-51fe-44de-8db2-c80426be48d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.70
Link:
https://yomi.yoroi.company/submissions/e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:Choice_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del
Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Keylog_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Contains Keylog
Rule name:Quasar_RAT_1
Create hunting rule
Author:Florian Roth
Description:Detects Quasar RAT
Reference:https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
Rule name:RDPWrap
Create hunting rule
Author:@bartblaze
Description:Identifies RDP Wrapper, sometimes used by attackers to maintain persistence.
Reference:https://github.com/stascorp/rdpwrap
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Stealer_word_in_memory
Create hunting rule
Author:James_inthe_box
Description:The actual word stealer in memory
Rule name:Steam_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Steam in files like avemaria
Rule name:Telegram_bot_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria
Rule name:Telegram_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Telegram in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe e71d977c9bacce7272da75781ecf31ebf29e4b3ee13ce8ba57071421a2457713

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/716640/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/72814/
  
URLhaus
https://urlhaus.abuse.ch/url/716647/

Comments