MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eb531fc8e0491b4361a4519110467f475aeb2e418018f97e7e4f1548bca05862. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Intelligence File information Yara Comments

SHA256 hash: eb531fc8e0491b4361a4519110467f475aeb2e418018f97e7e4f1548bca05862
SHA3-384 hash: c43edf9ceedde6b5a0b35dea221a40e003e46c0cef5e66d5de5e5216e7a591c0982858f55536c760039cb809d768e850
SHA1 hash: d11535a8533a3a70d49c4ee09315bd61dde06ab2
MD5 hash: dcf7add878e1e15a80ae49a24f193a33
humanhash: north-johnny-september-florida
File name:SecuriteInfo.com.Trojan.GenericKD.43525182.28643.16638
Download: download sample
Signature AgentTesla
File size:750'560 bytes
First seen:2020-08-01 19:30:53 UTC
Last seen:2020-08-02 07:34:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744
ssdeep 12288:bMLQQwOYYgIOlG1wrGXprlY2U/AC2TSGe:sdYYxwrGX7Y9/n2TSGe
TLSH 93F43876AAC47A30D5A119F274C6EE1C1F6868A3D8334E66BD802DCDF7E05B47E88135
Reporter @SecuriteInfoCom
Tags:AgentTesla

Intelligence


File Origin
# of uploads :
2
# of downloads :
22
Origin country :
FR FR
Mail intelligence
No data
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Reading critical registry keys
Setting a keyboard event handler
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Moving of the original file
Changing the hosts file
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Signature
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Modifies the hosts file
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 255593 Sample: SecuriteInfo.com.Trojan.Gen... Startdate: 01/08/2020 Architecture: WINDOWS Score: 100 29 cdn.onenote.net 2->29 31 asf-ris-prod-neurope.northeurope.cloudapp.azure.com 2->31 49 Found malware configuration 2->49 51 Yara detected AgentTesla 2->51 7 SecuriteInfo.com.Trojan.GenericKD.43525182.28643.exe 3 2->7         started        10 NBUGIoN.exe 3 2->10         started        12 NBUGIoN.exe 2 2->12         started        signatures3 process4 signatures5 53 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->53 55 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->55 14 SecuriteInfo.com.Trojan.GenericKD.43525182.28643.exe 2 5 7->14         started        57 Injects a PE file into a foreign processes 10->57 19 NBUGIoN.exe 2 10->19         started        21 NBUGIoN.exe 12->21         started        process6 dnsIp7 33 amazing-cool.com 103.118.26.53, 25, 49761, 49763 NSS-GROUP-AS-TWNSSINTLCOLTDTW Taiwan; Republic of China (ROC) 14->33 23 C:\Users\user\AppData\Roaming\...23BUGIoN.exe, PE32 14->23 dropped 25 C:\Windows\System32\drivers\etc\hosts, ASCII 14->25 dropped 27 C:\Users\user\...27BUGIoN.exe:Zone.Identifier, ASCII 14->27 dropped 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 14->35 37 Moves itself to temp directory 14->37 39 Tries to steal Mail credentials (via file access) 14->39 47 2 other signatures 14->47 41 Tries to harvest and steal ftp login credentials 19->41 43 Tries to harvest and steal browser information (history, passwords, etc) 19->43 45 Hides that the sample has been downloaded from the Internet (zone.identifier) 19->45 file8 signatures9
Threat name:
ByteCode-MSIL.Worm.LovGate
Status:
Malicious
First seen:
2020-07-20 13:37:17 UTC
AV detection:
21 of 31 (67.74%)
Threat level
  5/5
Result
Malware family:
agenttesla
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla persistence
Behaviour
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of SetThreadContext
Adds Run key to start application
Reads user/profile data of web browsers
Reads user/profile data of local email clients
Reads data files stored by FTP clients
Drops file in Drivers directory
AgentTesla Payload
AgentTesla

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe eb531fc8e0491b4361a4519110467f475aeb2e418018f97e7e4f1548bca05862

(this sample)

  
Delivery method
Distributed via web download

Comments