MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 6 File information Comments

SHA256 hash:	ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f
SHA3-384 hash:	43350fce975e6e300e7d0d80f6b1c09dbb3c6717874835944d2a1e5109e1800630b7e363c8e1b4b61cf7de5e129bd902
SHA1 hash:	4a7f58c8414b57060f6461363f35fc9832edcd1f
MD5 hash:	99e9ccb0364e04128f0a694c34e3bc54
humanhash:	mockingbird-single-minnesota-jersey
File name:	TT payment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	729'600 bytes
First seen:	2020-10-21 09:53:44 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:B69ippVROZoZcobU1W7afSwM0myxRIJzQBXnm5/0pn6BtnmPxMWYIgcEk+dYQopr:IcpiqcOUSafS70myxRIMg/qnqtnEgIgO
Threatray	9'570 similar samples on MalwareBazaar
TLSH	F8F401322E48AF25F4BC573B50A4051053FAE905E333C21BBDF661CDA666BA98573B13
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: cgi.centirn.net
Sending IP: 104.131.5.182
From: cindy accounts <info@centirn.net>
Subject: TT COPY/ confirm payment
Attachment: TT payment.zip (contains "TT payment.exe")

AgentTesla SMTP exfil server:
smtp.blenco.eu:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV2

Link:

https://www.capesandbox.com/analysis/73962/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Moving of the original file

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/505585

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-21 02:46:18 UTC

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=5q3z5jmbmciqbog57tzi52qnyqgool5z5hz52miobx56v4dl54hq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

20c0aebe7cad9faafeff8655a50fb31ef9e91208f17035f3b90b91ab8fce0e86

AgentTesla

3ba3652f91657ae971efd9b9f9b6e6ebee6dbe4e23c2837825d21c7bd7997aac

AgentTesla

69b99d16f072c6ab2687da255681f3f1c3a97746bfe516b206644a5056a99425

AgentTesla

8348c6c60034429d7bca499c5cfb52d04f0705cda36665cbff5db267958811ef

AgentTesla

86b3d8a135597bcf56f2f6669b514bfd36aeaf1f890233b03a15f18a1c9705e8

AgentTesla

bd3bf49f455f519888272ddfe3e9a0603958e64e3bed5a80078bddf65276def2

AgentTesla

d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c

AgentTesla

eb140984e61c9b9860794656d3f978896944a0f7258c5abe25391b8c71f56853

AgentTesla

fea590dbb8987a6358d6708c5728826c5dc44c943ff4145ab1bc6d110c03e13c

AgentTesla

+ 9'560 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/201021-ryvheyqkss/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

92445eaf98980e03200ac4ed82dd44fecd40847205d9a4ecbabd35c2d98a94ef

MD5 hash:

08736645ac497587572b36eece4aab55

SHA1 hash:

72cf289de891229d37ec676eda20288dce99b234

Link:

https://www.unpac.me/results/29601266-73d6-4e41-90dc-f241c6e74a34/

SH256 hash:

5fc41a6960fb44c9648d05d9fe5204b952a1d7782ee2e73a28cfe2e12d890be4

MD5 hash:

d12f8382be43d9084f16180849750659

SHA1 hash:

767c6ef982d59f177f63791353deef7cada00935

Link:

https://www.unpac.me/results/29601266-73d6-4e41-90dc-f241c6e74a34/

SH256 hash:

07825bb443b7e1ae8766d3b6f72d4ca660cd06674cada58a8b18af9769bd1680

MD5 hash:

75e5954fc8ea6039c49b098c580dcbad

SHA1 hash:

dc1e9cd3c4d64124d672a2c8548ef9dc9c82236a

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/29601266-73d6-4e41-90dc-f241c6e74a34/

Parent samples :

d465ff22dc9be084281d48c3857b7fdc3fbd541717e2016627f75b8a4012838c
ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f
6654538b324aae34cc6a17b040e39b89670369fedc3e06d869af0f59dd4c0d23

SH256 hash:

bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049

MD5 hash:

a92cc1f6e0a2742350dfda6726db14c0

SHA1 hash:

e5404e3ed46498deb8ad8966a774540c2b8e9c1e

Link:

https://www.unpac.me/results/29601266-73d6-4e41-90dc-f241c6e74a34/

SH256 hash:

ec379ea581609100b8ddfcf28eea0dc40ce72fb9e9f3dd310e0dfbeaf06bef0f

MD5 hash:

99e9ccb0364e04128f0a694c34e3bc54

SHA1 hash:

4a7f58c8414b57060f6461363f35fc9832edcd1f

Link:

https://www.unpac.me/results/29601266-73d6-4e41-90dc-f241c6e74a34/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar