MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e89889711d785d69e4add9eb3894af8b09dac30f7b00d977a803ae9bbca08f67. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 5 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: e89889711d785d69e4add9eb3894af8b09dac30f7b00d977a803ae9bbca08f67
SHA3-384 hash: a52953f86436a4bb7eff730453dcc5da8c9a4657b384054ec7ed2799ae0fc33fa1b142f36ad7ac7ac55721cb9c9d50c7
SHA1 hash: 0960395a813858022c3ba60c3366dedf4b6f87cf
MD5 hash: 3cafdba1b1f2eab24242b14d776e1216
humanhash: tango-whiskey-skylark-jig
File name:第1车 (15:00) 4.30巴西61K2和巴西61M2拼车中港订车.xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'214'464 bytes
First seen:2021-04-30 05:18:20 UTC
Last seen:2021-04-30 06:58:50 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'741 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:15SVFoLAKeZz0IYeMIJQG+0K1PRV16s+CUiK+sKjbJr+F2:15Snz0IoYKjvBUPjS
Threatray 5'005 similar samples on MalwareBazaar
TLSH 20457CAC725064EEC71B8C32A7CF5C0592242D716A3BA90B971333BD5A3FE576E38485
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
4
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/147176/
Detection(s):
SecuriteInfo.com.Variant.Bulz.456323.18036.28872.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Using the Windows Management Instrumentation requests
Forced shutdown of a system process
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/703996
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 400920 Sample: 8f66.xls.exe Startdate: 30/04/2021 Architecture: WINDOWS Score: 100 45 mail.akdogulojistik.com 2->45 47 akdogulojistik.com 2->47 57 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->57 59 Found malware configuration 2->59 61 Multi AV Scanner detection for dropped file 2->61 63 8 other signatures 2->63 8 8f66.xls.exe 6 2->8         started        12 CsGlckR.exe 2 2->12         started        14 CsGlckR.exe 1 2->14         started        signatures3 process4 file5 33 C:\Users\user\AppData\Roaming\mojOslGyL.exe, PE32 8->33 dropped 35 C:\Users\user\AppData\Local\...\tmp8943.tmp, XML 8->35 dropped 37 C:\Users\user\AppData\...\8f66.xls.exe.log, ASCII 8->37 dropped 65 Uses schtasks.exe or at.exe to add and modify task schedules 8->65 67 Writes to foreign memory regions 8->67 69 Injects a PE file into a foreign processes 8->69 16 RegSvcs.exe 17 4 8->16         started        21 schtasks.exe 1 8->21         started        23 conhost.exe 12->23         started        25 conhost.exe 14->25         started        signatures6 process7 dnsIp8 39 elb097307-934924932.us-east-1.elb.amazonaws.com 54.225.169.203, 443, 49742 AMAZON-AESUS United States 16->39 41 nagano-19599.herokussl.com 16->41 43 api.ipify.org 16->43 29 C:\Users\user\AppData\Roaming\...\CsGlckR.exe, PE32 16->29 dropped 31 C:\Windows\System32\drivers\etc\hosts, ASCII 16->31 dropped 49 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->49 51 May check the online IP address of the machine 16->51 53 Tries to steal Mail credentials (via file access) 16->53 55 5 other signatures 16->55 27 conhost.exe 21->27         started        file9 signatures10 process11
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/e89889711d785d69e4add9eb3894af8b09dac30f7b00d977a803ae9bbca08f67/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-04-29 18:17:50 UTC
File Type:
PE (.Net Exe)
Extracted files:
48
AV detection:
17 of 47 (36.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5cmis4i5pbowtzfn3hvtrffprme5vqyppmans55iaoxjxpfar5tq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f95895a5ea5227304c10231e948c8f463d02a5d7d11097c25713d9672ed3c4b
AgentTesla
13ff472515c393678075f24544aa4cc93ca66f90846fa25acb3cf70d254b52c0
AgentTesla
2ac2a30975264ce09e13a0e42e522247f5aea52fd3b4decc41d7438245627910
AgentTesla
482e088e44a3e514ac0336587be7d148c85b9264b764ff83441d6ef5f2baf110
AgentTesla
48899f3f038a01c3dcf2d263e0232ccc3c44fff9635165f894d7da232e625bf1
AgentTesla
7cf016920f62f4cd984f9fdc9c9976b07888c891b52a8c6c95c47cc3628bde21
AgentTesla
81959244e301890985aa85e48397b790244d52d57eaa82ae24d746946f1eab0e
AgentTesla
98fe679693d1f5a9c43102f6b95c4e85ef347e7e616fba8ec87d7c6b6beab98c
AgentTesla
bd53a8cc4f90dbe541f778176164e50279e6809495ed2fcb8cfc92570e16119e
AgentTesla
c185f1b12000aef63c347017f36ab8b9e67a08fcc22e5ed83695c1cc4f168f23
AgentTesla
+ 4'995 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210430-k74pxctcj2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
855fdfd3517fb75264080fd81512c228cbe2bc4ecc3a088ed5b6ebdc582c6181
MD5 hash:
46bd1c006d9298c2827da08012edef95
SHA1 hash:
f4863a3a51f043203c9ddae439aca220d4586b93
Link:
https://www.unpac.me/results/83a17245-4b95-46dc-93f5-787a97841e71/
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
Link:
https://www.unpac.me/results/83a17245-4b95-46dc-93f5-787a97841e71/
SH256 hash:
4c2e2ecc93f4fd8c74f7c294eb4c6b5d2ef3aba9b1eebcd9797dd2d9ab71c367
MD5 hash:
35635114fea5761438c14e677ac66c40
SHA1 hash:
76a3b0a64c6160eee5ecaa8c9d458f698cbf7a0d
Link:
https://www.unpac.me/results/83a17245-4b95-46dc-93f5-787a97841e71/
SH256 hash:
e89889711d785d69e4add9eb3894af8b09dac30f7b00d977a803ae9bbca08f67
MD5 hash:
3cafdba1b1f2eab24242b14d776e1216
SHA1 hash:
0960395a813858022c3ba60c3366dedf4b6f87cf
Link:
https://www.unpac.me/results/83a17245-4b95-46dc-93f5-787a97841e71/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/e89889711d785d69e4add9eb3894af8b09dac30f7b00d977a803ae9bbca08f67

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:Telegram_Exfiltration_Via_Api
Create hunting rule
Author:lsepaolo
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar ac2920d92671cc53fb3264b2366932bc826bdbfe91b811376e3a9215571be340

AgentTesla

Executable exe e89889711d785d69e4add9eb3894af8b09dac30f7b00d977a803ae9bbca08f67

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ac2920d92671cc53fb3264b2366932bc826bdbfe91b811376e3a9215571be340
Cape
Cape
https://www.capesandbox.com/analysis/147176/

Comments


Avatar
a̵c̵c̸i̵d̷e̵n̷t̴a̷l̴r̵e̷b̸e̴l̸ commented on 2021-04-30 06:04:29 UTC

============================================================
MBC behaviors list (github.com/accidentalrebel/mbcscan):
============================================================
0) [B0009] Anti-Behavioral Analysis::Virtual Machine Detection