MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537
SHA3-384 hash: bf94f4a1598b7ee4128758fcba2447cd8426fae7d8bb574573759f2e7e1179825d52a2c369ef02fbe12811c6ad91d00e
SHA1 hash: 2b5d5eb3b320dfb3e7e3ca875161a1653bfc11a4
MD5 hash: bc60bbf5f0fee6ef01a9bc9864a60cfd
humanhash: nevada-east-cola-two
File name:SHIPPING DOCUMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:538'624 bytes
First seen:2020-10-07 05:11:45 UTC
Last seen:2020-10-07 06:24:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:oVTa8vL3rdmo7f/W48BonWsx5kzl/aO7Whp/:vE08fOBCHbOY
Threatray 358 similar samples on MalwareBazaar
TLSH ABB426117B09EAB4F1AE04B484C9C1F10701FE9D5992612A7FD5FF2F7AB7604086EE92
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: fadcompanyltd.com
Sending IP: 103.141.138.129
From: Ash Zhang <info@fadcompanyltd.com >
Subject: RE: FINAL SHIPPING DOCS.
Attachment: SHIPPING DOCUMENT.zip (contains "SHIPPING DOCUMENT.exe")

AgentTesla SMTP exfil server:
mail.a-k.co.ir:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
130
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68790/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% directory
Unauthorized injection to a recently created process
Creating a window
Running batch commands
Creating a process with a hidden window
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Changing the hosts file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483704
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Modifies the hosts file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 294313 Sample: SHIPPING DOCUMENT.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 30 mail.a-k.co.ir 2->30 32 nagano-19599.herokussl.com 2->32 34 2 other IPs or domains 2->34 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Found malware configuration 2->52 54 Antivirus / Scanner detection for submitted sample 2->54 56 7 other signatures 2->56 7 SHIPPING DOCUMENT.exe 4 2->7         started        10 kprUEGC.exe 3 2->10         started        13 kprUEGC.exe 2->13         started        signatures3 process4 file5 58 Injects a PE file into a foreign processes 7->58 15 SHIPPING DOCUMENT.exe 17 5 7->15         started        28 C:\Users\user\AppData\Local\Temp\svhost.exe, PE32 10->28 dropped 60 Antivirus detection for dropped file 10->60 62 Multi AV Scanner detection for dropped file 10->62 64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 10->64 66 2 other signatures 10->66 20 kprUEGC.exe 2 10->20         started        signatures6 process7 dnsIp8 36 mail.a-k.co.ir 144.76.118.219, 49759, 49761, 587 HETZNER-ASDE Germany 15->36 38 elb097307-934924932.us-east-1.elb.amazonaws.com 174.129.214.20, 443, 49758 AMAZON-AESUS United States 15->38 40 2 other IPs or domains 15->40 22 C:\Users\user\AppData\Roaming\...\kprUEGC.exe, PE32 15->22 dropped 24 C:\Users\user\...\kprUEGC.exe:Zone.Identifier, ASCII 15->24 dropped 42 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 15->42 44 Tries to steal Mail credentials (via file access) 15->44 46 Tries to harvest and steal ftp login credentials 15->46 48 3 other signatures 15->48 26 C:\Windows\System32\drivers\etc\hosts, ASCII 20->26 dropped file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537/
Threat name:
ByteCode-MSIL.Infostealer.CoinStealer
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 01:26:09 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=76goc7giwejb7yk757pdvqt6gfahzsa6jt2i55gyv7gkznef6u3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
45c513f108712bc98e81a23e054b3d20de0e7ed152c1e42807ae5deeae7606c5
AgentTesla
535341ccd7f05015229ea15f24fa23baa11cc7596f7c79962564c6ed69fa4c64
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
aec9afaf95af4be9bbca9e0b6c398a994f6e6f2e343c11df643041eff7f2684f
AgentTesla
bd5b53d0e2a607818e9d9438452f988d1d0b6c76674ae4d8143b38a4c0cf7abf
AgentTesla
c39ac13cc69cadcb6badd8700e1a667274b9cd9eaa102db3f506bbf35372a29c
AgentTesla
+ 348 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201007-1wrq6zkj86/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537
MD5 hash:
bc60bbf5f0fee6ef01a9bc9864a60cfd
SHA1 hash:
2b5d5eb3b320dfb3e7e3ca875161a1653bfc11a4
Link:
https://www.unpac.me/results/3ecbaff3-c48e-4cc1-b1a1-5d6464c8e3f7/
SH256 hash:
3cf8a2782094b41c570a575f535c55b738ae524355c84be64348852d8aef4444
MD5 hash:
ae306ef1ea66439d7cbea97a58dd2cdf
SHA1 hash:
2658523ee348d72affca2e6b87368a9e92f8047e
Link:
https://www.unpac.me/results/3ecbaff3-c48e-4cc1-b1a1-5d6464c8e3f7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 4831320bdd804f71a906f8befcffd53405102da011ed621ee3dba070ce61720c

AgentTesla

Executable exe ff8ce17cc8b1121fe15fefde3ac27e31407cc81e4cf48ef4d8afccacb485f537

(this sample)

  
Dropped by
MD5 a972864771a79f82bb766bb7338966cb
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68790/
  
Dropped by
SHA256 4831320bdd804f71a906f8befcffd53405102da011ed621ee3dba070ce61720c

Comments