MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 0c489620eca7cd68cfda5122400dcdb27830f22c95452370b5fe06c317a0eb02. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	0c489620eca7cd68cfda5122400dcdb27830f22c95452370b5fe06c317a0eb02
SHA3-384 hash:	81655c8dc2c2e4a8751289e6e80e277f122df3301ed473903c0b9f87cc9c3edc1938d29296aec67bdd7c4ca070cbe0f6
SHA1 hash:	7ae0ec6a4966bfd5e657f855f368f30e9d710638
MD5 hash:	81a84115497dcf5afbd3a98127ecb522
humanhash:	burger-glucose-beryllium-spaghetti
File name:	$96,914.38 MT103 Copypdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'026'560 bytes
First seen:	2021-06-07 14:31:22 UTC
Last seen:	2021-06-07 15:51:57 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep	12288:H7pILw94fj6yeCg0uyTwUVYtXiZZxCJ83FvYim8J/UpAhisx1o8JD8O/5gV1fxmx:HWsWcUVYtXiZSiVxm81jhF1RJDN4i
Threatray	5'692 similar samples on MalwareBazaar
TLSH	6125AF1173D43E9BE17EE23BA629915C81F5EA53A632DA9F3D94C0CE11E1F028352763
Reporter	TeamDreier
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

284

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

$96,914.38 MT103 Copypdf.exe

Verdict:

Malicious activity

Analysis date:

2021-06-07 14:32:29 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/3adccbc3-b0fc-44a7-bf50-79da0dd8def4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/165044/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.820.6641.12883.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/798168

Signature

.NET source code contains very large array initializations

Found malware configuration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Process Start Without DLL

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/0c489620eca7cd68cfda5122400dcdb27830f22c95452370b5fe06c317a0eb02/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-07 14:32:12 UTC

AV detection:

12 of 29 (41.38%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=brejmihmu7gwrt62kereadonwj4db4rmsvcsg4fv7ydmgf5a5mba._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

20d3cfdb31efea5342fbc7bec9f0e3c5342ea0d370e9fe33a4fd3506f2129cdd

AgentTesla

2e806e0101522c188033d18c53d9d8a3a769257c38898b2446a8b6b9b5a90ee8

AgentTesla

324d1cad5bb30b0d9d920e5460219eda13153d0a0d8a4ca6f1a7596704093029

AgentTesla

3f2cba483eead01ce5217afd98d8308007cf4b4b5e81bd658d27b9f31abc4b77

AgentTesla

8bb298fcc8ae3cfbf4e3be43c3a1b8a2cbee1981215df099bf3ec28846070b7d

AgentTesla

bd2b74e08fad018b100e51f29b67beb001afac1b243e73f4180d22879d86c639

AgentTesla

caab2d0e7e9937e45bdd6d177c06691d0bfe812c2175acd4df0c7232955a3561

AgentTesla

e60c96af9c671afb6096d78d825d9e28d969ed94f25376300eb97f64b25bdde5

AgentTesla

f134da53b5e6400a6b810bcb5883d2ecaf6e3c0f973ccdacc5ddb93ea0c9194a

AgentTesla

+ 5'682 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210607-6h56314j3s/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

34e69e90b7cb6121c3f93911f21dfb00491ea5d5bb79bfce4902d04f72c24184

MD5 hash:

b6b086a0ab13f3feb9ee8c846d230e5d

SHA1 hash:

dd8e1b816f3e7d9dcfa6eddc20a27fe0fbed478a

Link:

https://www.unpac.me/results/d7770494-aeb1-48ca-ba8e-32939697d057/

SH256 hash:

0c489620eca7cd68cfda5122400dcdb27830f22c95452370b5fe06c317a0eb02

MD5 hash:

81a84115497dcf5afbd3a98127ecb522

SHA1 hash:

7ae0ec6a4966bfd5e657f855f368f30e9d710638

Link:

https://www.unpac.me/results/d7770494-aeb1-48ca-ba8e-32939697d057/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/0c489620eca7cd68cfda5122400dcdb27830f22c95452370b5fe06c317a0eb02

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/165044/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample