MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 3 File information Comments

SHA256 hash:	c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d
SHA3-384 hash:	53f04d58e1305855d6c5425dff1c5ca20138023722f50abc3fc61c6f47301efc058f01093df37c63a8c6bd894e095f90
SHA1 hash:	b9c1a3d56c24997f80bde123967997004bf7b2a9
MD5 hash:	a49162a0284cae60b9982bde389157d3
humanhash:	steak-oregon-autumn-music
File name:	scan_copy.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	478'720 bytes
First seen:	2020-08-06 06:39:26 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	2ff2dc860b3be78716db0209b9220e29 (4 x AgentTesla, 3 x HawkEye, 2 x NetWire)
ssdeep	12288:xSs0rXaqrsASeWvtH9iEVV9IuMSECEG2/dWT:xSsMrTzWvt8EVVevm2
Threatray	11'427 similar samples on MalwareBazaar
TLSH	F4A42332C610DC95FE146CBB127F33EDAE48A4E5AD784D253A14D90EAD381E10B73B5A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: paymontly.servers.prgn.misp.co.uk
Sending IP: 185.20.50.76
From: Anatco.com <sales2@anatco.com>
Subject: -PO for delivery
Attachment: scan_copy.gz (contains "scan_copy.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/40165/

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-6

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Sending a UDP request

Reading critical registry keys

Launching the process to change network settings

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/412284

Signature

Contains functionality to detect sleep reduction / modifications

Found malware configuration

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Capture Wi-Fi password

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal WLAN passwords

Tries to steal Mail credentials (via file access)

Uses netsh to modify the Windows network and firewall settings

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d/

Threat name:

Win32.Spyware.Negasteal

Status:

Malicious

First seen:

2020-08-06 04:55:49 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ybfyvzwyxfiae2v47ojfi5mqvgxcp7taegcuf74w5kkiqbjwzagq._file

Verdict:

malicious

Label(s):

agenttesla

hawkeyekeylogger

AgentTesla

47c8fab622177ddaa495e4b9294c0949be6c7572ef15f831ee7c326af0200ccb

AgentTesla

9eb1f39ae32ed2c3289f148c0182ef2f8916fe7283400fcffd262798c08ded91

AgentTesla

a884c6f90ec51dc6d39304e05efe5820d5c11afcd90abeaca8969b4adb9448e7

AgentTesla

c3cf7a61f0ab30656aa7dd49ad4888794833ac3ae9eaf61391c4940117a4fd7f

AgentTesla

c905064bb651ad48f6a67415f4b982254e6f816ff03b1f19d3da32da19a8d788

AgentTesla

d223c5d9e8c4529cf905bb3c777f6850b21babd5ef85cd270db5a9e760ba4e0f

AgentTesla

da283473a2f9bd5bb26dbe283b4d037f0992a8d87fbd6116b76505958394675c

AgentTesla

df8fe4098c22cd64afb8369348581a0ed7c924ea9ad659741e2899a32ab2e842

AgentTesla

efd857b9c713b00e8359f0c58fdb42124b2b3fccbfd5de1ef95156cdee038170

AgentTesla

+ 11'417 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

8/10

Tags:

upx

Link:

https://tria.ge/reports/200806-feceqxmz8n/

Behaviour

UPX packed file

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Tinba

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/c04b8ae6d8b950026abcfb92547590a9ae27fe60218542ff96ea94880536c80d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar