MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 05d05d17c53c46ee4047204c1b79ad05544c38bc26e513893a883aceb00ca737. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	05d05d17c53c46ee4047204c1b79ad05544c38bc26e513893a883aceb00ca737
SHA3-384 hash:	15ee02df69bee355f89a0af1e93a3e182bb130e8cb12c6a28483e115d4f8ea2d3193d9794d5e6b279634313ab74fdbc6
SHA1 hash:	9431adb249a83eadc1adae54a415372b4a544782
MD5 hash:	cb15bc6c74792d795af75987bbf40453
humanhash:	solar-october-sierra-jig
File name:	Revise PO12892.PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	376'832 bytes
First seen:	2021-08-30 14:18:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	ef471c0edf1877cd5a881a6a8bf647b9 (74 x Formbook, 33 x Loki, 29 x Loda)
ssdeep	6144:74XrK9PX7Fp6Gh2wWRGl0EDDf1PisZQ5rAGQwg1QtP1f4paaYlsdcaMJEdbI0Pzn:kXe9PPlowWX0t6mOQwg1Qd15CcYk0We3
Threatray	10'271 similar samples on MalwareBazaar
TLSH	T19484124588C4CCA6E71AB370D0B3CF9819757932CC956B689758E92EB870343B853E6F
dhash icon	aae2f3e38383b629 (2'034 x Formbook, 1'183 x CredentialFlusher, 666 x AgentTesla)
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

184

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Revise PO12892.PDF.exe

Verdict:

Malicious activity

Analysis date:

2021-08-30 14:21:28 UTC

Tags:

trojan rat agenttesla

Link:

https://app.any.run/tasks/f9a88c3a-758c-419f-bf9e-c7c691753013

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/183809/

Detection(s):

PUA.Win.Packer.Upolyx-12

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

DNS request

Connection attempt

Sending a custom TCP request

Sending an HTTP GET request

Creating a file in the %temp% directory

Launching a process

Using the Windows Management Instrumentation requests

Sending a UDP request

Unauthorized injection to a system process

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/748a0e50-9851-4efe-a3e1-47a56180efd2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

spre.troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/841646

Signature

.NET source code references suspicious native API functions

AutoIt script contains suspicious strings

Contains functionality to register a low level keyboard hook

Found malware configuration

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: MSBuild connects to smtp port

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/05d05d17c53c46ee4047204c1b79ad05544c38bc26e513893a883aceb00ca737/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-08-29 23:29:36 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=axif2f6fhrdo4qchebgbw6nnavkeyof4e3srhcj2ra5m5mamu43q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0a9ce88cb32da5f8aab38458eb7b58db8ca8250a06e98d6c1a9eda48d7a1aac1

AgentTesla

27c7757a5432815c4867ebeeaa23152703af16520d73117a372e6371061fc1ee

AgentTesla

29a8a708880ca187202112de47bed915bf9fd0e64cab0d08a839b7ede6c16506

AgentTesla

35fe897b8b1d0328d99b94ec0e22de210bc3f0564a8e34a438f313fc202db999

AgentTesla

4e447b594351ff66f5cb60ee2d83a7358aee2b9d31c9310c61b0d9f81683914b

AgentTesla

5753fdf0845db0abe46df0bd5fee88a514615554ff9a7c8b9d1d1f08e9f69573

AgentTesla

a8c94f8fc9b5c2a0cd3da68122fc36b28a7b990ace2f238961742245ece50ed5

AgentTesla

b528aab1cf14c985fecd7f6f2fd0a31101cd952abedbd10cf7357708057d91b9

AgentTesla

+ 10'261 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/210830-s7qd8yjak6/

Behaviour

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

419e6196ec49582231a3231d79d9d81236b42bf20955052c251f17ceb32e82a1

MD5 hash:

4ab952307c0bcb8227cfaa4c2dc7347a

SHA1 hash:

1186b03d6b2b03397a142b46c49f44833400986d

Link:

https://www.unpac.me/results/eaaf693a-a3c1-443b-be98-43e37f191362/

SH256 hash:

05d05d17c53c46ee4047204c1b79ad05544c38bc26e513893a883aceb00ca737

MD5 hash:

cb15bc6c74792d795af75987bbf40453

SHA1 hash:

9431adb249a83eadc1adae54a415372b4a544782

Link:

https://www.unpac.me/results/eaaf693a-a3c1-443b-be98-43e37f191362/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.85

Link:

https://yomi.yoroi.company/submissions/05d05d17c53c46ee4047204c1b79ad05544c38bc26e513893a883aceb00ca737

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/183809/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample