MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3
SHA3-384 hash: 0fa684307bfb019698ef6bc7bb91f03845df338bf09006f5e54c2495417008bce1a9c6829084278965c8ae57932c2d1e
SHA1 hash: 5cd59a2faa71070f43ace49eea96c49bf5cc7e24
MD5 hash: 21fcff04545aad5789da8f6fb8e1222a
humanhash: green-island-cardinal-hawaii
File name:CHECKLIST Documents.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:719'360 bytes
First seen:2020-10-07 10:46:20 UTC
Last seen:2020-10-14 10:10:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:lbRyr7Ky+uViujy4p4WuKoen7+l/DUWd2LqUAj3Y588Jl2Os5vVvc5cuVGU/BA:9Ryr+yTVuAuKHiXd2LqUN88JgTS5
Threatray 817 similar samples on MalwareBazaar
TLSH B8E4F1247A94BB8FC41F8F3B84521810D7E0D47A475BF787BCDB15E8944E6DE4A222E2
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: server50.a2zcreatorz.com
Sending IP: 69.16.232.53
From: muhammed <mk@learningsurce.com>
Subject: APPROVAL FOR CHECKLIST - Documents.
Attachment: CHECKLIST Documents.zip (contains "CHECKLIST Documents.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68892/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/484009
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Binary contains a suspicious time stamp
Disables Windows Defender (via service or powershell)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294452 Sample: CHECKLIST  Documents.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 41 Antivirus detection for dropped file 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for dropped file 2->45 47 14 other signatures 2->47 7 CHECKLIST  Documents.exe 1 7 2->7         started        process3 file4 33 C:\Users\user\AppData\Roaming\ctsPDoYk.exe, PE32 7->33 dropped 35 C:\Users\...\ctsPDoYk.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\Local\...\tmp3AB8.tmp, XML 7->37 dropped 39 C:\Users\...\CHECKLIST  Documents.exe.log, ASCII 7->39 dropped 49 Disables Windows Defender (via service or powershell) 7->49 51 Injects a PE file into a foreign processes 7->51 11 powershell.exe 24 7->11         started        13 powershell.exe 22 7->13         started        15 powershell.exe 25 7->15         started        17 14 other processes 7->17 signatures5 process6 process7 19 conhost.exe 11->19         started        21 conhost.exe 13->21         started        23 conhost.exe 15->23         started        25 conhost.exe 17->25         started        27 conhost.exe 17->27         started        29 conhost.exe 17->29         started        31 9 other processes 17->31
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 08:06:18 UTC
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=a2qq2ubk5ryrx4h774lx4iba7ygdvfglmeiz5j52gig6ns5l5ozq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
17b671d207ca3e6334ddcae8ce17f1317ccaf35e992fed85724313ee1919f519
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
4a4f7d774032e80c392ff7fe598a05736cf4f71dc0dcf5616ce980f9cbb598ae
AgentTesla
4e0d9011480354268839674ee979b89b902a9672dc5b728c3428bd613ba65154
AgentTesla
5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537
AgentTesla
780a88c79396f2df8841cf5f66f6807402e45b1db65e20f10d6814e6300cf8f5
AgentTesla
8600c1896f8c6835a9a5c44631ac45b319c0cc9b2e0a50a72bb37436a84ea96a
AgentTesla
96bb500afd48645a966af87ba319dc72388964f84726552f72f31c936c7628b2
AgentTesla
a0062b106277324b51718baac12082f12f735f370173fa3073abf70b86b016be
AgentTesla
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
AgentTesla
+ 807 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-zh9s2savz2/
Unpacked files
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/bf146bcd-625d-46de-ae74-6aa0eeafe5d7/
SH256 hash:
f7dc24d0351c46e1b437ec9686fcb94f9eaaaf2ed38bc8cc9ee1be206f2d7942
MD5 hash:
fb6d7132c02086dbf456095ffa10b870
SHA1 hash:
7c9083a929a9ceba89cb900c5df8e7bb7111b346
Link:
https://www.unpac.me/results/bf146bcd-625d-46de-ae74-6aa0eeafe5d7/
SH256 hash:
12c3bfe17eb3a16e72d423f5b64d45893ced9635daa422369c31585562bc0c45
MD5 hash:
1bf75bfb3658a0bebb77cf12924ef6cf
SHA1 hash:
99d9e36e5845bd8ce4ac78e53697fb1965119630
Link:
https://www.unpac.me/results/bf146bcd-625d-46de-ae74-6aa0eeafe5d7/
SH256 hash:
aa2a5aab24f331b6157e5d575b60a006f0f48bac8776208dacf1252e25677f7b
MD5 hash:
303f77d522f1632b9c541c42da06d166
SHA1 hash:
aabb983aa58225df3433edf0215741bdc22174fb
Link:
https://www.unpac.me/results/bf146bcd-625d-46de-ae74-6aa0eeafe5d7/
SH256 hash:
06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3
MD5 hash:
21fcff04545aad5789da8f6fb8e1222a
SHA1 hash:
5cd59a2faa71070f43ace49eea96c49bf5cc7e24
Link:
https://www.unpac.me/results/bf146bcd-625d-46de-ae74-6aa0eeafe5d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 82a238d24ff7f915b3086d5b68a7c46fa157125965e65f02d0bbdc14065452df

AgentTesla

Executable exe 06a10d502aec711bf0ffff177e2020fe0c3a94cb61119ea7ba320de6cbabebb3

(this sample)

  
Dropped by
MD5 76bec80555612dcfa71304b27d4bbfd7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68892/
  
Dropped by
SHA256 82a238d24ff7f915b3086d5b68a7c46fa157125965e65f02d0bbdc14065452df

Comments