MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ba977e9b03a35f6eaee296d43580165e00fb549127df1eabb5dcc160350cc182. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 1 File information Comments

SHA256 hash:	ba977e9b03a35f6eaee296d43580165e00fb549127df1eabb5dcc160350cc182
SHA3-384 hash:	a102122ed48bdd9230ccc411eccfeb10e3a1fcd9cd6e7d7c29aa5a5518225c2697e3cc65fc2bf92f1cb283d70d8bbe7d
SHA1 hash:	35a2e44f645e7d04eaa4027966d892e278708573
MD5 hash:	0b950376bd81f46f43f98ecc08188d73
humanhash:	happy-whiskey-kitten-potato
File name:	CV.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	608'256 bytes
First seen:	2020-09-09 13:37:24 UTC
Last seen:	2020-09-09 14:45:10 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:qp2wGaCUyalS+zfO0X98IbkGoH6q3Hni91UmK9Xu/2p6urcZo:qp2wfRdSkJ+Ihoaani95K9Xg2pxcZ
Threatray	32 similar samples on MalwareBazaar
TLSH	50D4237A579FA391C9DD1BB2B07C30140773D1122603E78DAAEA72F52266F98CD24F25
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/58167/

Detection(s):

SecuriteInfo.com.Trojan.Siggen10.14423.28677.29796.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Reading critical registry keys

Stealing user critical data

Enabling autorun by creating a file

Result

Threat name:

Unknown

Detection:

malicious

Classification:

n/a

Score:

60 / 100

Link:

https://www.joesandbox.com/analysis/462080

Signature

Antivirus / Scanner detection for submitted sample

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Behaviour

Behavior Graph:

n/a

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/ba977e9b03a35f6eaee296d43580165e00fb549127df1eabb5dcc160350cc182/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-09-09 05:56:28 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=xklx5gydunpw5lxcs3kdlaawlyapwvere7pr5k5v3tawanimygba._file

Verdict:

suspicious

AgentTesla

2f8db5569121518b850e760945b719b028c69cf7302157fe878a15316bc01c0d

AgentTesla

3256574b14a63365fe83b15704cb49a4d44dc1cbef33bc839af2afa07902ed68

AgentTesla

3e0399c730996386f895fb276f727a0dd3095ae40c59ca11b56ed55ae8207285

AgentTesla

4dd8941c43c5868e2bbabb63ea7010c914910ee9b5daca0832d4b612dcd5c39b

AgentTesla

5256436b3b8e2f1536db54677c29644357bf74c84035043f34ceb2f1b59d00af

AgentTesla

62a24925998362fb9a7b4d11ee621888f372e1858545b04aef345443699948e7

AgentTesla

8662c16cd95bac8f06a94fcdf42947839e82692584befe3efe9d17a018404811

AgentTesla

a9516c6968887596edb07b3af53bdefe21bb4fd4ea7a776448294f1d9abcf07a

AgentTesla

c3ff2e79a8c6e932bd5c6ba0898916ca3382e27f0d33c153dca12f061bc2c708

AgentTesla

+ 22 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger trojan stealer spyware family:agenttesla

Link:

https://tria.ge/reports/200909-5mcm7l3z1n/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/ba977e9b03a35f6eaee296d43580165e00fb549127df1eabb5dcc160350cc182

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/58167/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample