MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12cc3f8d26992b93a6ce85180eb723e0f194cd8b4b09095e7058bb47d9aebfe6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12cc3f8d26992b93a6ce85180eb723e0f194cd8b4b09095e7058bb47d9aebfe6
SHA3-384 hash: b102d90ae0fec056de83285dbcf0e05d5b0a21a970a80fb2d0bd44a0017e5a53ff3e1017e3cbc48aa87d0e4244c1946e
SHA1 hash: 792921c17690073d9291c602b2d65bf92131b44a
MD5 hash: 9d0a3cff1208246c22252451b9a5a302
humanhash: johnny-mobile-early-wyoming
File name:9d0a3cff1208246c22252451b9a5a302.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:589'312 bytes
First seen:2020-09-02 17:48:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:0BGcl9BL142asLlbgLzCP7nn+9v4HbVJsIjE:2G+esLlb+zCP7nIv4HbVqI
Threatray 9'317 similar samples on MalwareBazaar
TLSH 41C40163316DAF87CCFA39FC004A718063B6606A5CA5F3D58DC3A1DB29CAFC451A1697
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.W32.Trojan-7.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/457773
Signature
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 281275 Sample: SFNfGLwsfv.exe Startdate: 02/09/2020 Architecture: WINDOWS Score: 80 24 Multi AV Scanner detection for submitted file 2->24 26 Yara detected AgentTesla 2->26 28 Yara detected AntiVM_3 2->28 30 2 other signatures 2->30 7 SFNfGLwsfv.exe 3 2->7         started        process3 file4 22 C:\Users\user\AppData\...\SFNfGLwsfv.exe.log, ASCII 7->22 dropped 32 Injects a PE file into a foreign processes 7->32 34 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 7->34 11 SFNfGLwsfv.exe 2 7->11         started        13 SFNfGLwsfv.exe 7->13         started        15 SFNfGLwsfv.exe 7->15         started        signatures5 process6 process7 17 dw20.exe 22 6 11->17         started        file8 20 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 17->20 dropped
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/12cc3f8d26992b93a6ce85180eb723e0f194cd8b4b09095e7058bb47d9aebfe6/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-09-02 16:07:10 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
082f7afe7db0098c5e320b49174c80a02b2516271672a4384ffffcb960d03879
AgentTesla
0ca1f0a08b7a21079683beeaf8bfa86df3d396b8d7a0cade52e963b78bd9a7e3
AgentTesla
27b2f5e25dbc80d98c7e18c870230ba70a953f88fec3b81a4738f5e6628a9f97
AgentTesla
460a1e3acbde201bf39a076cc672dc052368cf55343fcbc6ad2a10ffb6fb3215
AgentTesla
5e7e491fe67b6ec4f5bf52e1a3cdc59be7b0ec5d896413dd89c23aa7a7828f00
AgentTesla
65dc5eae6aba498e459af4ab782d21cf3708141b3886226a9e31c407b6d9aa8f
AgentTesla
68f770cf2f06a3c28dff7e9e3282ad929834af4949e948417b4cef7eabee26ad
AgentTesla
ba8ee5201bd168f1c327977b55c59dc9891cd744ededabb4554d5645a0c65777
AgentTesla
e738d23963c1001eb3cc3287fd96bacb4a4f073c665c866bc3cadf39d71350e8
AgentTesla
fb7239506060a7d75553a156f68ba757569bc933f2dba62cb385c16c13e107d3
AgentTesla
+ 9'307 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer trojan spyware family:agenttesla
Link:
https://tria.ge/reports/200902-wy928z3taa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12cc3f8d26992b93a6ce85180eb723e0f194cd8b4b09095e7058bb47d9aebfe6

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research
Rule name:CAP_HookExKeylogger
Create hunting rule
Author:Brian C. Bell -- @biebsmalwareguy
Reference:https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar
Rule name:win_agent_tesla_g2
Create hunting rule
Author:Daniel Plohmann <daniel.plohmann@fkie.fraunhofer.de>
Rule name:win_agent_tesla_w1
Create hunting rule
Author:govcert_ch
Description:Detect Agent Tesla based on common .NET code sequences

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 12cc3f8d26992b93a6ce85180eb723e0f194cd8b4b09095e7058bb47d9aebfe6

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/451760/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/54471/

Comments