Backdoor

Backdoor:MSIL/AgentTesla.SBR!MSR removal

Malware Removal

The Backdoor:MSIL/AgentTesla.SBR!MSR is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Backdoor:MSIL/AgentTesla.SBR!MSR virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Guard pages use detected – possible anti-debugging.
  • A process attempted to delay the analysis task.
  • Dynamic (imported) function loading detected
  • At least one IP Address, Domain, or File Name was found in a crypto call
  • A process created a hidden window
  • CAPE extracted potentially suspicious content
  • The binary likely contains encrypted or compressed data.
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (Process Hollowing)
  • Executed a process and injected code into it, probably while unpacking
  • Behavioural detection: Injection (inter-process)
  • Behavioural detection: Injection with CreateRemoteThread in a remote process
  • Created a process from a suspicious location
  • Collects and encrypts information about the computer likely to send to C2 server
  • CAPE detected the AgentTeslaV2 malware family
  • Harvests credentials from local FTP client softwares

How to determine Backdoor:MSIL/AgentTesla.SBR!MSR?


File Info:

name: 5C03EAD6CF5DF8FF7A9E.mlw
path: /opt/CAPEv2/storage/binaries/01c25d1e551f6c54f1c49d04fa445bf4290dafcc23f67bfac14e4f80f2662441
crc32: 1AE454DF
md5: 5c03ead6cf5df8ff7a9e6d85c3987c2d
sha1: 7e22ed43851fa8c4ac08fbda87e11dfa9e02628c
sha256: 01c25d1e551f6c54f1c49d04fa445bf4290dafcc23f67bfac14e4f80f2662441
sha512: 5ac9bcf03c8086385c413fe5319b93982cc4c27ccc258eaca7c92e026c4aac0fdcb91efc22775459a88e33a49d5dad6a0e98866192480be1f744b63042cd575a
ssdeep: 6144:Y9uJk402JNR/6/Ik76auQfabk+wSXaUbIhRUAz5MG98/nSGLFwgr:YD40cKIke8ayAhAzyk8/nfLFwg
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T15894026026FD6BA2C53EAFF53231602247B6747AE291FB0C4EC571EA0267F109E60D57
sha3_384: 0f01f1cc28c2487322941f9b8b781bf2927020a1ee7049bf12389c3874b9b498eed84d64dfe02af9cbad3af7154c29dc
ep_bytes: ff250020400000000000000000000000
timestamp: 2020-05-19 05:57:47

Version Info:

Translation: 0x0000 0x04b0
Comments:
CompanyName:
FileDescription: ClassAssignment
FileVersion: 1.0.0.0
InternalName: NWjKPEBbEJwwhdV.exe
LegalCopyright: Copyright © 2017
LegalTrademarks:
OriginalFilename: NWjKPEBbEJwwhdV.exe
ProductName: ClassAssignment
ProductVersion: 1.0.0.0
Assembly Version: 1.0.0.0

Backdoor:MSIL/AgentTesla.SBR!MSR also known as:

BkavW32.AIDetectNet.01
LionicTrojan.MSIL.NanoBot.m!c
DrWebTrojan.PWS.Siggen2.49052
MicroWorld-eScanTrojan.GenericKD.43184978
CAT-QuickHealTrojan.YakbeexMSIL.ZZ4
ALYacTrojan.GenericKD.43184978
CylanceUnsafe
ZillyaWorm.AutoRun.Win32.145967
SangforTrojan.Win32.Save.a
K7AntiVirusRiskware ( 0040eff71 )
AlibabaBackdoor:MSIL/AgentTesla.ed65a9c0
K7GWRiskware ( 0040eff71 )
CrowdStrikewin/malicious_confidence_100% (W)
BitDefenderThetaGen:NN.ZemsilCO.34582.zm0@a0rrK@m
VirITTrojan.Win32.PWSStealer.CEX
CyrenW32/MSIL_Troj.SX.gen!Eldorado
SymantecScr.Malcode!gdn31
Elasticmalicious (high confidence)
ESET-NOD32MSIL/Autorun.Spy.Agent.DF
APEXMalicious
Paloaltogeneric.ml
KasperskyHEUR:Backdoor.MSIL.NanoBot.gen
BitDefenderTrojan.GenericKD.43184978
NANO-AntivirusTrojan.Win32.Autorun.hldpab
AvastWin32:PWSX-gen [Trj]
TencentMsil.Backdoor.Nanobot.Svhj
Ad-AwareTrojan.GenericKD.43184978
SophosMal/Generic-S + Troj/Keylog-AIP
ComodoMalware@#2ffy7fy7x18rm
VIPRETrojan.GenericKD.43184978
TrendMicroBackdoor.MSIL.REMCOS.SM
McAfee-GW-EditionBehavesLike.Win32.Fareit.gc
FireEyeGeneric.mg.5c03ead6cf5df8ff
SentinelOneStatic AI – Malicious PE
GDataWin32.Trojan-Stealer.AgentTesla.TQE5R7
JiangminBackdoor.MSIL.cyci
WebrootW32.Trojan.MSIL.NEGEASTEAL.SMTN
AviraTR/AD.AgentTesla.nqwiq
MAXmalware (ai score=86)
Antiy-AVLTrojan/Generic.ASMalwS.3CA0
KingsoftWin32.Hack.Undef.(kcloud)
ZoneAlarmHEUR:Backdoor.MSIL.NanoBot.gen
MicrosoftBackdoor:MSIL/AgentTesla.SBR!MSR
CynetMalicious (score: 100)
AhnLab-V3Trojan/Win32.Kryptik.R337042
Acronissuspicious
McAfeeTrojan-FSJJ!5C03EAD6CF5D
MalwarebytesSpyware.Agent
TrendMicro-HouseCallBackdoor.MSIL.REMCOS.SM
RisingBackdoor.NanoBot!8.28C (KTSE)
YandexTrojan.Igent.bTK8Rg.2
IkarusTrojan-Spy.Azorult
MaxSecureTrojan.Malware.300983.susgen
FortinetMSIL/GenKryptik.ELKP!tr
AVGWin32:PWSX-gen [Trj]
Cybereasonmalicious.6cf5df
PandaTrj/WLT.F

How to remove Backdoor:MSIL/AgentTesla.SBR!MSR?

Backdoor:MSIL/AgentTesla.SBR!MSR removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment