MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 093c6d24a6ee34fd279dce32ae9fc9be8970668b11e7018c0286ed350d6155e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 093c6d24a6ee34fd279dce32ae9fc9be8970668b11e7018c0286ed350d6155e9
SHA3-384 hash: f71c2f7f6f0aca27249fc5db3d707816c6a40c0bbed6114c69ee3dd9b653f769a144d6596c4c2ae8f02abae3846a73b0
SHA1 hash: b13e2fe5137c49f7c4186d6eea949651f8e2d316
MD5 hash: 544fa504d855cc2f76f3a7db1f4cbca9
humanhash: yellow-ack-kansas-mirror
File name:0000000682.pdf.GZ.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:577'024 bytes
First seen:2021-02-11 10:04:43 UTC
Last seen:2021-02-11 11:59:05 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Dy8Zi970J2edJJwh7GWSB7rr8MupwINhyo0Z58CPCXGTA4S0:DZZC0y0qpwINhY8kCXuA4b
Threatray 2'590 similar samples on MalwareBazaar
TLSH 11C4F125DFA84E55C13CAE790EB3D6242FFC83C25619C356CF903DD8D8A7E987A80691
Reporter abuse_ch
Tags:AgentTesla ESP exe geo


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: vps.grupoferrrar.com
Sending IP: 203.159.80.111
From: BANKIA <mensajeria_movil@bankia.com>
Reply-To: mensajeria_movili@bankia.com
Subject: NOTIFICACIÓN DE PAGO BANKIA CONFIRMING
Attachment: 0000000682.pdf.GZ (contains "0000000682.pdf.GZ.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
104
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
0000000682.pdf.GZ.exe
Verdict:
Suspicious activity
Analysis date:
2021-02-11 10:08:36 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/9e16cd16-eef6-4219-8dd0-d6dcbb835332

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/116774/
Detection(s):
SecuriteInfo.com.Artemis544FA504D855.19368.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/605641
Signature
.NET source code contains very large array initializations
Binary contains a suspicious time stamp
C2 URLs / IPs found in malware configuration
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/093c6d24a6ee34fd279dce32ae9fc9be8970668b11e7018c0286ed350d6155e9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-02-11 09:15:33 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=be6g2jfg5y2p2j45zyzk5h6jx2exazulchtqddacq3wtkdlbkxuq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
057829405c326876f0dfff1b3242e845a539fbe24fa5518dbee764adf7910fd8
AgentTesla
0f581ed2051c4a3b6f4d7d6e63c3a90ccf07f3d2054b0ec88c05826102749680
AgentTesla
128680958e398b5449f0a60b2fc4f1bbaaf5a3b22be2d8f2e2b58a0ed70dc84b
AgentTesla
2d31d4b70c99a9be8ea02ebeedc419827e44569d3bd835bdfe29b46b89c99a1f
AgentTesla
477d57f165a0cdcf90d8a93fc5c64c0beff6ca253f996b6399327fe8b644623f
AgentTesla
488389b83ef686ae55e23b703daaeed23d3c791b95f0248bba422d58d2faaf85
AgentTesla
5bbb6f4426870c981ad4c9049d6b471e153780d29e0e02030a0f26c3d1050375
AgentTesla
61bb0008f7eb07dee59ef765fe010cf1612d9e8f3a17a5cb3b5fbab76d232df9
AgentTesla
71ff53e9c3b0f0f7512056fb0a5b7cacf603145913ff9c6224f2cca398c15c89
AgentTesla
e48eaa56cf0a12668fc9400f1a6d8840ea70127c7653c497887cb50b296317ec
AgentTesla
+ 2'580 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210211-x3q281h6xx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/74a6eadf-3109-4aca-b333-19df6f3284cd/
SH256 hash:
093c6d24a6ee34fd279dce32ae9fc9be8970668b11e7018c0286ed350d6155e9
MD5 hash:
544fa504d855cc2f76f3a7db1f4cbca9
SHA1 hash:
b13e2fe5137c49f7c4186d6eea949651f8e2d316
Link:
https://www.unpac.me/results/74a6eadf-3109-4aca-b333-19df6f3284cd/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz b2029f79bda2ee8c383b0e99689c8fd35563bb1fd16a4a9550f9579989b2dafb

AgentTesla

Executable exe 093c6d24a6ee34fd279dce32ae9fc9be8970668b11e7018c0286ed350d6155e9

(this sample)

  
Dropped by
MD5 4211bc48f5579fba1290d4e823a08ce5
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/116774/
  
Dropped by
SHA256 b2029f79bda2ee8c383b0e99689c8fd35563bb1fd16a4a9550f9579989b2dafb

Comments