MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87
SHA3-384 hash: c7ce16d54003df52713e28b63f7fa9d52591933e61370752363ba1be8023ce163a8124b6cbd6cfcfe6910feb25d9cd10
SHA1 hash: 0d79f5d4e107789c7b3a67cfc0d1dff4a01a2995
MD5 hash: b866bc9bf9e438572219147bb93dfaf5
humanhash: low-uranus-fifteen-pasta
File name:P)141229202021.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'401'440 bytes
First seen:2020-12-16 14:25:51 UTC
Last seen:2020-12-16 15:46:16 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 49152:QBYKw4OgcDcpurPAUH2N7XTkowF7yAyEENcNWCh:QBYKw4OgcDccrPAUWN7XTNG7JyEEuWCh
Threatray 1'842 similar samples on MalwareBazaar
TLSH CEF5F35C3C43349F798A40B046DB66E892DA31191571273A5CE3247CEA2DDABBCDF872
Reporter cocaman
Tags:AgentTesla bat

Code Signing Certificate

Organisation:Fdbcecafeacaaeafeaabfaceddbef
Issuer:Fdbcecafeacaaeafeaabfaceddbef
Algorithm:sha256WithRSAEncryption
Valid from:Dec 14 19:15:48 2020 GMT
Valid to:Dec 14 19:15:48 2021 GMT
Serial number: 3C08427EF09BE12DC20ECDD43624DCF6
Thumbprint Algorithm:SHA256
Thumbprint: 3EC92DE827D204000EBE7242A32335733085AB37B2496C4128B57DDDFA94EC4D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
193
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
P)141229202021.bat
Verdict:
Malicious activity
Analysis date:
2020-12-16 14:26:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6fc332db-2c5a-4424-a052-9f7536c79764

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.35731317.19757.28462.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564319
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Found malware configuration
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331245 Sample: P)141229202021.bat Startdate: 16/12/2020 Architecture: WINDOWS Score: 100 40 mail.privateemail.com 2->40 44 Found malware configuration 2->44 46 Multi AV Scanner detection for dropped file 2->46 48 Sigma detected: Powershell adding suspicious path to exclusion list 2->48 50 7 other signatures 2->50 8 P)141229202021.exe 24 6 2->8         started        13 P)141229202021.exe 2->13         started        15 P)141229202021.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 42 pastebin.com 104.23.98.190, 443, 49733 CLOUDFLARENETUS United States 8->42 36 C:\Users\user\AppData\...\P)141229202021.exe, PE32 8->36 dropped 38 C:\...\P)141229202021.exe:Zone.Identifier, ASCII 8->38 dropped 60 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->60 62 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->62 64 Creates an undocumented autostart registry key 8->64 66 6 other signatures 8->66 19 P)141229202021.exe 2 8->19         started        22 powershell.exe 8 8->22         started        24 powershell.exe 8 8->24         started        26 4 other processes 8->26 file6 signatures7 process8 signatures9 52 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->52 54 Tries to steal Mail credentials (via file access) 19->54 56 Tries to harvest and steal ftp login credentials 19->56 58 Tries to harvest and steal browser information (history, passwords, etc) 19->58 28 conhost.exe 22->28         started        30 conhost.exe 24->30         started        32 conhost.exe 26->32         started        34 conhost.exe 26->34         started        process10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87/
Threat name:
ByteCode-MSIL.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 19:48:35 UTC
File Type:
PE (.Net Exe)
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=alossivt2zr2y543bjnf6v42y3ajpi4epkw7kemkvqr5yctdtkdq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
261036c3c84844bc59b94e39261363d6d9443350e27e1fd4fa8e7716ab6a2e83
AgentTesla
34fef61460f3196f9c4f0f267443302cc5573d935ad73f18eb33aea41d8be5d3
AgentTesla
55948fede55c398fce76d97b8316d5da6f958b08746a33f0cdaf4e016f0a1e15
AgentTesla
6d4d2a2d69e81b0f6b91a437aaf0869956306c347f0b2ed492168f95d6b24d93
AgentTesla
73884bc59571b3c7199849dcdfb8330b57435a822c320d1913eb990db842fbbf
AgentTesla
879fabd244225331efd47ce153381e8c2bcf02a9b81b430e346f6395ecc9c666
AgentTesla
d9b7bb2c86f319f087b2e08d9097639b134acff8298e28a736a103e4eb3a6cbf
AgentTesla
de0419f15e231116f87b5ac3a8aeab734175c685920fce69c8c39836d1ab4491
AgentTesla
f550b174528b14a38ed8725fc03cf092de3e976a4287874c4fd5eb7fad33312f
AgentTesla
fdac92b0fe7d038bfdfa12127cae944e95dff1ef54684923785701d9e92dfaf4
AgentTesla
+ 1'832 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201216-x853vjcmnj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87
MD5 hash:
b866bc9bf9e438572219147bb93dfaf5
SHA1 hash:
0d79f5d4e107789c7b3a67cfc0d1dff4a01a2995
Link:
https://www.unpac.me/results/9c7ac05a-389d-4e26-8a74-ecad225c7c47/
SH256 hash:
fe4a68a3e50ad7c87739d67c4543f4e35daff7365537feed8c1c319842737bab
MD5 hash:
fffedf5e1ab9d3d3c58448603ace2731
SHA1 hash:
70dd21a31db20521c5b7bba4bec6f31a42dc0b2d
Link:
https://www.unpac.me/results/9c7ac05a-389d-4e26-8a74-ecad225c7c47/
SH256 hash:
cf281b57e005dc7aada80a14e1e3e4e3c7e2b19313bf7edf3e0866047355a34a
MD5 hash:
b9df946e89f1925fcc35c5d87b8d5cd7
SHA1 hash:
ff44b1d6978efcf72614615b21eb1f6832470cd8
Link:
https://www.unpac.me/results/9c7ac05a-389d-4e26-8a74-ecad225c7c47/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip baa161b07212abd4cb63f7ffeb592fcdd61b67633f46c9596730c82c77d1e93d

AgentTesla

Executable exe 02dd2922b3d663ac779b0a5a5f579ac6c097a3847aadf5118aac23dc0a639a87

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 baa161b07212abd4cb63f7ffeb592fcdd61b67633f46c9596730c82c77d1e93d

Comments