MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7
SHA3-384 hash: 42353baa2ab193d3f9fcf9633dc009c201b5b08c7a74d68cdfae3f9e2f513edfd8da7bdf7c729d0ea8bba917ddcfd58a
SHA1 hash: f7a1f186b6fe2f7e77aa5b9d2b51f8cdf8f43d9c
MD5 hash: 6303789e1379ea6ec1c7012b5a35c6b6
humanhash: colorado-quiet-mississippi-lamp
File name:P.O 5886789345434.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:419'328 bytes
First seen:2020-08-06 07:59:44 UTC
Last seen:2020-08-07 08:15:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash c2d00fc4271c3f42efcfb8ae80a5dd76 (2 x AgentTesla)
ssdeep 12288:/lTDCKq9xLTBKTEvTF3F++1px20msY5IJOJs8G4X+ZGc:/9DCKq9xXgEvRw+ZVkIJIyG
Threatray 10'639 similar samples on MalwareBazaar
TLSH 0294E021B6D2D029DDC10E747148DAEB9834F9B81461AAD333C49F266D35BD3C92DE2B
Reporter jarumlus
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
62
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV2
Create hunting rule
Link:
https://www.capesandbox.com/analysis/40360/
Detection(s):
PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a file
Running batch commands
Sending a UDP request
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Reading critical registry keys
Stealing user critical data
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/412583
Signature
Allocates memory in foreign processes
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: MSBuild connects to smtp port
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7/
Threat name:
Win32.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-08-06 08:01:05 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uezaitc2zx3jafyy747hw3hoqcyns5xtfwehnmrvfmengfx6vt3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2449c1f1a898c241fd99ef81dd67ea37db3944708a37a3229f19bf572d7136d8
AgentTesla
3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0
AgentTesla
3c267f259097c5786ddcb5c74ec6410267d465976259d841b988271b7474906c
AgentTesla
3f17b1407dd6b3febc9c19770d1252a7028971382c85a2b9320e416801b2f904
AgentTesla
5772f99f2fb2648a9252d6742881ed81b380ce0c6986270a600ab2b975f5c4de
AgentTesla
86ed0ebbd24ad4c94834ea45d9af009a08738c1341b95ca0d35a59ffdc726de7
AgentTesla
8d175348d054a71fec626c9ee281e8bd85747864997ade10986e94f94af24273
AgentTesla
9dda846870b687794890a95e4532f7886dcf61d6bfcd4cbc2ddeb306abc22311
AgentTesla
c2be2f9a3561ac1145ac0711574c30064e14ec9d62e916b700f75cc33b77d154
AgentTesla
ec6afc29beafb4093f0aca9fa00e1c3097dac94baee4801eebc5043de4556781
AgentTesla
+ 10'629 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/200806-9j1vd1faza/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Reads data files stored by FTP clients
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7

File information

The table below shows additional information about this malware sample such as delivery method and external references.

1376ebfed2b1e56337427d5dba26504fe9e4018e79846d36ef6dc99b2fdf3b1f

AgentTesla

Executable exe a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7

(this sample)

  
Dropped by
MD5 0f6997ba6c878fde39136b2eb8c4b76d
  
Dropped by
SHA256 1376ebfed2b1e56337427d5dba26504fe9e4018e79846d36ef6dc99b2fdf3b1f
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/40360/

Comments