MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f791e41279744779b60a12e8e88ab15dd254c89acfb75ed5a3772053f8831f63. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f791e41279744779b60a12e8e88ab15dd254c89acfb75ed5a3772053f8831f63
SHA3-384 hash: 69e892892fb6cd19ff86c1227895dfa2a22117660819467b963786f9189b4778400d48c111cbd3a00a5cd0bcb58cb6cc
SHA1 hash: 13010fa3bd4c7e1f7852d579c10505a40afa4bab
MD5 hash: dd5e8f55df6577549de4bc6f120fbdc1
humanhash: oklahoma-six-coffee-nuts
File name:Fwd WRONG BANK DETAIL'S.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:440'320 bytes
First seen:2020-08-17 06:33:45 UTC
Last seen:2020-08-17 08:28:04 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:9fDknEeyhjawmsVDNkqxBsGg/PeZDeSO3rUbH4EcmZHAFaxmVmie9bngP:pnkMehHBbo4EcmZHAFaxmVmie9bngP
Threatray 10'607 similar samples on MalwareBazaar
TLSH E494F15C30E0A076F7F85FB1BC60AC084776770A0D265F0F66A1A2B4A7F7AE57D0491A
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: cpshared8.tedata.net
Sending IP: 213.158.180.204
From: a/c <kris.brumley@contentstreams.com>
Subject: Fwd: WRONG BANK DETAIL'S
Attachment: Fwd WRONG BANK DETAILS.zip (contains "Fwd WRONG BANK DETAIL'S.exe")

AgentTesla SMTP exfil server:
mail.opporajasthan.in:26

Intelligence

File Origin
# of uploads :
2
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/46687/
Detection(s):
SecuriteInfo.com.Trojan.Inject3.51227.26441.29039.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/432632
Signature
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f791e41279744779b60a12e8e88ab15dd254c89acfb75ed5a3772053f8831f63/
Threat name:
ByteCode-MSIL.Spyware.Negasteal
Create hunting rule
Status:
Malicious
First seen:
2020-08-17 01:06:03 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  2/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=66i6ietzordxtnqkcluorcvrlxjfjse2z63v5vndo4qfh6edd5rq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
22a1cc0a4f9c3667870c2f7487ca8d028288806955866f32e621aadc8afe9eae
AgentTesla
2a9cf930b5e11dee35842ff73179a0467f820a95e23560d774f7ea05111de351
AgentTesla
36609130c2783f8915051cf0030eb0b4a2712710257fb07095463a3dbc7f1861
AgentTesla
3e7332310ea67e1982c17c325fde52c70c2155f73d2792b51e2484b86ec51e1e
AgentTesla
5dae09313f5bf2ef9f108c33d30b770c83d450e5c163150ef1754794493bb86f
AgentTesla
67309e579deeb9fae0f90ce0e40e40318ef25c6c32b88e247863f13aa6678a55
AgentTesla
7abf73f6d63535a3770a681960124ee32f77d0305cfb82e80da13301829d5b25
AgentTesla
9b35a1eab3bddb51f9571b67a8d679c7db0af207a938f428870e10eae43e00f2
AgentTesla
b96e6ac1d0b74e691b13eaddb1f72d792727c0447aaadae0a9c4599c3288d51c
AgentTesla
e290e14bd99ee48d3d9b39fb7d0a56f29f83309d86214084d23e00c44971508c
AgentTesla
+ 10'597 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer evasion spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200817-psmv78s29e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Noon
Score:
0.80
Link:
https://yomi.yoroi.company/submissions/f791e41279744779b60a12e8e88ab15dd254c89acfb75ed5a3772053f8831f63

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2909e9a7f4e544cb4089a7f05e3af83c1d6faeb5d3c0d82c0938cd369cba8d8f

AgentTesla

Executable exe f791e41279744779b60a12e8e88ab15dd254c89acfb75ed5a3772053f8831f63

(this sample)

  
Dropped by
MD5 8448a2b6396013f5d31af44da4a324f8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/46687/
  
Dropped by
SHA256 2909e9a7f4e544cb4089a7f05e3af83c1d6faeb5d3c0d82c0938cd369cba8d8f

Comments