MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 eda8f8050e6734ff91e0c51870b8d02977546fae360385c9c398c95d9fee6be0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: eda8f8050e6734ff91e0c51870b8d02977546fae360385c9c398c95d9fee6be0
SHA3-384 hash: 6f9f7557abd0a937464cdc360216a5e80bbb032eccd55edb60689d83661af8333e3ae6728eafb5e60ba2bc816a654258
SHA1 hash: 8bbe40382c548db4a9df3efae35b0d9a0692df29
MD5 hash: ac080f037df0435e38321d078180dfbd
humanhash: bravo-nitrogen-nine-double
File name:PO-SCAN-90400300002994000202.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:794'624 bytes
First seen:2020-08-12 18:21:50 UTC
Last seen:2020-08-13 05:57:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ca8a968818883f4b47dacd6943e1ee04 (3 x AgentTesla, 2 x Loki, 1 x Formbook)
ssdeep 12288:313XOoKnE7J93PUtFiMx56Vnh+23dOEhYkvEPlwTiPjzT1AubPnwf6yTZvoi7Uf:xe87J98ii6NY+9gNPzTNbfKnZAiof
Threatray 11'576 similar samples on MalwareBazaar
TLSH 10F4BF22B3D04937CC67163D9C0B9774A839BE11EE68E9862BF51C4C8F3968539392D7
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: iryemen.org
Sending IP: 185.222.57.154
From: Weam Alnabhani<Weam.Alnabhani@iryemen.org>
Subject: Supplying Items RRM
Attachment: PO-SCAN-90400300002994000202.pdf.rar (contains "PO-SCAN-90400300002994000202.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
71
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/44411/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.BackDoor.SpyBotNET.25.28221.1486.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/423603
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Contains functionality to inject code into remote processes
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Maps a DLL or memory area into another process
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 264258 Sample: PO-SCAN-90400300002994000202.exe Startdate: 13/08/2020 Architecture: WINDOWS Score: 100 33 Found malware configuration 2->33 35 Yara detected AgentTesla 2->35 37 Sigma detected: Drops script at startup location 2->37 7 PO-SCAN-90400300002994000202.exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 39 Detected unpacking (changes PE section rights) 7->39 41 Detected unpacking (overwrites its own PE header) 7->41 43 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->43 45 6 other signatures 7->45 12 PO-SCAN-90400300002994000202.exe 4 7->12         started        16 notepad.exe 1 7->16         started        18 PO-SCAN-90400300002994000202.exe 7->18         started        20 PO-SCAN-90400300002994000202.exe 10->20         started        process5 dnsIp6 31 us2.smtp.mailhostbox.com 208.91.199.224, 49749, 587 PUBLIC-DOMAIN-REGISTRYUS United States 12->31 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->47 49 Tries to steal Mail credentials (via file access) 12->49 51 Tries to harvest and steal ftp login credentials 12->51 53 Tries to harvest and steal browser information (history, passwords, etc) 12->53 55 Drops VBS files to the startup folder 16->55 57 Delayed program exit found 16->57 59 Writes to foreign memory regions 20->59 61 Allocates memory in foreign processes 20->61 63 Maps a DLL or memory area into another process 20->63 22 notepad.exe 1 20->22         started        25 PO-SCAN-90400300002994000202.exe 4 20->25         started        27 PO-SCAN-90400300002994000202.exe 20->27         started        signatures7 process8 file9 29 C:\Users\user\AppData\...\explorer.exe.vbs, ASCII 22->29 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/eda8f8050e6734ff91e0c51870b8d02977546fae360385c9c398c95d9fee6be0/
Threat name:
Win32.Backdoor.NanoCore
Create hunting rule
Status:
Malicious
First seen:
2020-08-12 16:28:22 UTC
File Type:
PE (Exe)
Extracted files:
64
AV detection:
25 of 28 (89.29%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=5wupqbiom42p7epayumhbogqff3vi35ogybylsodtdev3h7onpqa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
hawkeyekeylogger
Create hunting rule
Similar samples:
0de6ee5a054ce4edb8497c310cd2891a3463bfdd769ef917ef441e1a04b32334
AgentTesla
2db768c4da193c9ea8a2cb92da2999f76414b625eed8a6f8088992ac37b4f9ce
AgentTesla
3bf2467d7e7031b0af1fccfbc9d67fc29b572aaa64b1df6a77eed00cee768a04
AgentTesla
6f6c89a2569d5cf213a0cba5a78eef2d116a0325a6128190a3832f74f9df887b
AgentTesla
8c597485c8789aeb7f4edef9a49fc83a39346ea4d9f31f51b92f27b77ed8af0d
AgentTesla
a384816b481c92571f603a60f84b5a4cf57a6422c55c3fffe17d5dd0e85a5034
AgentTesla
bc83749e54465e28ddd8d7d615088989b9c17ab971969c536cef06f94887d51a
AgentTesla
c94d487888c8ca1365ca24c759333f11589c4a744f5174292c961bba808ee7a1
AgentTesla
d363c156cee675f7f4744162acb889dd330284ec40fb65d5bd57ad7c936681a8
AgentTesla
d5151bd37aa74ce1a5782e72bf26630f2df07f1e7cbeb42f45aa2f49645c35a8
AgentTesla
+ 11'566 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200812-tqw9x9lazs/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/eda8f8050e6734ff91e0c51870b8d02977546fae360385c9c398c95d9fee6be0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 664310079b2d206b208a798b015b332601d0acac8f019975b8fc1566c0625d44

AgentTesla

Executable exe eda8f8050e6734ff91e0c51870b8d02977546fae360385c9c398c95d9fee6be0

(this sample)

  
Dropped by
MD5 0184e6a5316bdfd76713b732842a6d6b
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/44411/
  
Dropped by
SHA256 664310079b2d206b208a798b015b332601d0acac8f019975b8fc1566c0625d44

Comments