MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e759e5aba80d6d3f1baf88ed67ef7d103caf3d1c6504453552524e7b45457f82. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	e759e5aba80d6d3f1baf88ed67ef7d103caf3d1c6504453552524e7b45457f82
SHA3-384 hash:	9e064275a1804bbce3a36fd66384da59fb075b73f7d52386ae067b1b22c76877a0b0b8172c9268998778ac9484324294
SHA1 hash:	b04790ff413e4dede7be6e0b24122752bce2a414
MD5 hash:	b9e77be86f7bd7ec3f4fbfb8a0bd60cc
humanhash:	april-don-oklahoma-six
File name:	files.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	817'664 bytes
First seen:	2020-08-13 06:55:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0aa3dcbdd0727cba5785897870b1d0ce (14 x AgentTesla, 6 x Loki, 3 x Formbook)
ssdeep	12288:0kTCaGA3RukdYUSTkq31mZqB5ke5C5y3ptXp0+Dd8HjJVR3l5DPd6VFqba3z:70CEU+DTk0lp5e+Dd8HjJz3lb6r/j
Threatray	11'132 similar samples on MalwareBazaar
TLSH	B6059D62B2E0483ED026153D9F3B5FE49CE5BE512E2858462BE41C4F7F3968D383529E
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.sekawan.com
Sending IP: 45.251.72.199
From: Janet Quacy <38d71b186d34d349c01967ef0eb1130b@sekawan.com>
Subject: RE: Invoice For Shipment / Departure Date 14-08-2020
Attachment: Invoice no. Q1-4001028L.img (contains "files.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/44900/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/425286

Signature

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e759e5aba80d6d3f1baf88ed67ef7d103caf3d1c6504453552524e7b45457f82/

Threat name:

Win32.Hacktool.CeeInject

Status:

Malicious

First seen:

2020-08-13 06:57:09 UTC

AV detection:

26 of 29 (89.66%)

Threat level:

1/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=45m6lk5ibvwt6g5prdwwp335ca6k6pi4muceknkskjhhwrkfp6ba._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

27d6e0aa8a7734ceaf0872c545900c87d83bc2955927ba3d0d34739f4d653291

AgentTesla

42559744a026afaece34c2e4175903ba2d286f269042603c26f488f43c2c0b9f

AgentTesla

425d0b685a7fb99078c3c3f81929c0a7a8836cb0f901d4950afca8ea1cc9839f

AgentTesla

4d8d60702145448a23d9304e58670f55d8449d2281a6ca9d6d95dbc25cb4e598

AgentTesla

561e958f45a2dd0447ee42d6af6907cc18701dfa6c7c68b3032fe05156ef22ce

AgentTesla

9d839079365af7cef63e51d9b4e8f751272cb753852dc67092ae84dde4bf1778

AgentTesla

a3b3496ba8c46ec8bd2ff838a33a7d99f2d81d6daf89044432f77e6e90ba1493

AgentTesla

e6a9bbee2b3b1dec06bfcddd17711777d7d14171e9c180a7310f6bb9cabf6879

AgentTesla

f39eb32160617d925ba16ec394dc9d351d5c3f8d975ccb2dfc99f601b50fa0ce

AgentTesla

+ 11'122 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/200813-54d6xkt54n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/e759e5aba80d6d3f1baf88ed67ef7d103caf3d1c6504453552524e7b45457f82

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar