MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 01c758184cc633b9d242c0ef140b307581f9a43a1699424c4aaae63adac5ec28. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 01c758184cc633b9d242c0ef140b307581f9a43a1699424c4aaae63adac5ec28
SHA3-384 hash: 8dc013a8f49071905f64ae1845133d2ee9a8b04bd940ffae874a118dba73a8d51d8e93a05f32ef7f6ac6a5441d025945
SHA1 hash: 3315d7856457fe45adb0320573d225180e7ab669
MD5 hash: e44a4cc46fc140bb0d250562328c3239
humanhash: massachusetts-uncle-island-uniform
File name:Payment copy-Inv1022700.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:870'400 bytes
First seen:2021-08-09 05:25:08 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:scaQxt8mr5AmbgDPwFVt2NjFt1HnaJJGUhAiknbKbPXd66cPw58+FMmRAdckUyN:Lzb0wFVMNj1HagBbmPg6Lme
Threatray 8'077 similar samples on MalwareBazaar
TLSH T17E05D0303AED6318E1BFE770463592418BF6F537D716C78E2C64509C9A73A828722F96
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
191
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment copy-Inv1022700.exe
Verdict:
Malicious activity
Analysis date:
2021-08-09 06:11:58 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6f409c49-4f59-459e-adfe-e5f07f0b02ae

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/177411/
Detection(s):
SecuriteInfo.com.Trojan.Inject4.15160.17472.30622.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Moving of the original file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/6acfe800-763a-4d12-96c9-3d04414a5505
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/828999
Signature
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 461430 Sample: Payment copy-Inv1022700.exe Startdate: 09/08/2021 Architecture: WINDOWS Score: 100 54 Yara detected AgentTesla 2->54 56 Yara detected AgentTesla 2->56 58 Yara detected AntiVM3 2->58 60 7 other signatures 2->60 7 Payment copy-Inv1022700.exe 7 2->7         started        11 EglPyOy.exe 4 2->11         started        13 EglPyOy.exe 3 2->13         started        process3 dnsIp4 36 C:\Users\user\AppData\...\aDqBqZQHstEt.exe, PE32 7->36 dropped 38 C:\Users\...\aDqBqZQHstEt.exe:Zone.Identifier, ASCII 7->38 dropped 40 C:\Users\user\AppData\Local\...\tmp43A9.tmp, XML 7->40 dropped 42 C:\Users\...\Payment copy-Inv1022700.exe.log, ASCII 7->42 dropped 62 Injects a PE file into a foreign processes 7->62 16 Payment copy-Inv1022700.exe 2 5 7->16         started        20 schtasks.exe 1 7->20         started        64 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->64 66 Machine Learning detection for dropped file 11->66 68 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->68 22 schtasks.exe 1 11->22         started        24 EglPyOy.exe 2 11->24         started        26 EglPyOy.exe 11->26         started        44 127.0.0.1 unknown unknown 13->44 file5 signatures6 process7 file8 32 C:\Users\user\AppData\Roaming\...glPyOy.exe, PE32 16->32 dropped 34 C:\Users\user\...glPyOy.exe:Zone.Identifier, ASCII 16->34 dropped 46 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->46 48 Moves itself to temp directory 16->48 50 Tries to steal Mail credentials (via file access) 16->50 52 3 other signatures 16->52 28 conhost.exe 20->28         started        30 conhost.exe 22->30         started        signatures9 process10
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/01c758184cc633b9d242c0ef140b307581f9a43a1699424c4aaae63adac5ec28/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-08-09 05:26:08 UTC
AV detection:
19 of 46 (41.30%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ahdvqgcmyyz3tuscydxriczqowa7tjb2c2muetckvltdvwwf5qua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
33990c7027bd2b71b3097729edcadbe6d06a4b8746dabe85e251793f64022b1e
AgentTesla
b15d344bbd7da01d707a4811f5a083661a90bf8ef743498145feee4d8cd7b583
AgentTesla
cbb385b8529f8c65542da6de1561bac167da44c7de62a3f82407182db4aab8ff
AgentTesla
d5d87a51678607282919dd12634f7eb9c084a4b8f2ebe662a118885dd29dabd5
AgentTesla
e69229b8be53810406136e0a2a1c1638f35a3790d070658bde47ce1be9f3ab12
AgentTesla
+ 8'067 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210809-htt6x2x1c2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
aed00f82f1772e5a403cce9c1349202c8371e67ed9ef19a33cac0bf2a411f3c1
MD5 hash:
c273f926e2a29bd62cc8f27b569a0b2a
SHA1 hash:
e08d302cab3e11d776599a6b0537207fce6f9c51
Link:
https://www.unpac.me/results/66051dbd-da5c-4647-ad33-1f73e07719d6/
SH256 hash:
11e59737e7bd817fd9db2aac86b8388c948a7bc2028c05c0b62d0d4cae3b653a
MD5 hash:
e55a1774b69e5b07d799c2736d4dbe03
SHA1 hash:
ced5ca4de5d03d73d754823424ec2f962389a170
Link:
https://www.unpac.me/results/66051dbd-da5c-4647-ad33-1f73e07719d6/
SH256 hash:
1a9516da3f21bb1e3bcebe17dacee1a7021ff41e25572af08f3326ea12f33339
MD5 hash:
d2584bdd1df9ddaab29ac8194ab02c67
SHA1 hash:
97bea11e128c15fd32d8b3051d3ee22532f8d8cd
Link:
https://www.unpac.me/results/66051dbd-da5c-4647-ad33-1f73e07719d6/
SH256 hash:
01c758184cc633b9d242c0ef140b307581f9a43a1699424c4aaae63adac5ec28
MD5 hash:
e44a4cc46fc140bb0d250562328c3239
SHA1 hash:
3315d7856457fe45adb0320573d225180e7ab669
Link:
https://www.unpac.me/results/66051dbd-da5c-4647-ad33-1f73e07719d6/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/01c758184cc633b9d242c0ef140b307581f9a43a1699424c4aaae63adac5ec28

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 01c758184cc633b9d242c0ef140b307581f9a43a1699424c4aaae63adac5ec28

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/177411/

Comments