MalwareBazaar Database
You are currently viewing the MalwareBazaar entry for SHA256 0f95895a5ea5227304c10231e948c8f463d02a5d7d11097c25713d9672ed3c4b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.
Database Entry
AgentTesla
Vendor detections: 9
| SHA256 hash: | 0f95895a5ea5227304c10231e948c8f463d02a5d7d11097c25713d9672ed3c4b |
|---|---|
| SHA3-384 hash: | e825c33192ccd8807d84f3adcbbb2d1789b2d314221407f1deaab6f216feadd3e6058e41276a6d923671592734c0dd90 |
| SHA1 hash: | fa71f2c5506d76e93d9ff420ebcded5ee1844175 |
| MD5 hash: | 4d17e2a8f29b7ed50573823b09184fe1 |
| humanhash: | twenty-johnny-texas-blossom |
| File name: | DHL Shipment Notification Status AWB811470484778202129-pdf.exe |
| Download: | download sample |
| Signature | AgentTesla |
| File size: | 1'008'640 bytes |
| First seen: | 2021-04-29 13:50:30 UTC |
| Last seen: | Never |
| File type: |  exe |
| MIME type: | application/x-dosexec |
| imphash | f34d5f2d4577ed6d9ceec516c1f5a744 (48'649 x AgentTesla, 19'461 x Formbook, 12'202 x SnakeKeylogger) |
| ssdeep | 12288:8KEaURIh5Ux6moLLoS60/K7yh0e8Mu28/feTE3bJZ4JG09pXL+AiPW0Of9XxTpHP:8taUroLAnp/mA38p7+At0OFg |
| Threatray | 5'562 similar samples on MalwareBazaar |
| TLSH | 40256CAC721075EEC2178C3397CE1C11821025756A2BEA0B972333BD6A2FE976F355D9 |
| Reporter |  TeamDreier |
| Tags: | AgentTesla |
Intelligence
File Origin
# of uploads :
1
# of downloads :
66
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Detection(s):
Result
Verdict:
Malware
Maliciousness:
Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Threat name:
AgentTesla
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Signature
.NET source code contains very large array initializations
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Status:
Malicious
First seen:
2021-04-29 03:49:16 UTC
AV detection:
12 of 47 (25.53%)
Threat level:
5/5
Detection(s):
Malicious file
Verdict:
malicious
Label(s):
agenttesla
Similar samples:
+ 5'552 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Score:
10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Contains code to disable Windows Defender
Unpacked files
SH256 hash:
74b2935b9dfe4ba397fd0507ae3c36abb77193041f2e7c43c55dc4e7b33de61c
MD5 hash:
b5c218f30fecc9cb8513ff6a46737b01
SHA1 hash:
f0416867c2b114789620b318051f1fa390b07eae
SH256 hash:
abec0f994cb35bd14b572d35687193e28227a7a761d97bf5dd4489bc3ee38a35
MD5 hash:
ea693288aeec239b212cb802098b5fbb
SHA1 hash:
40478d12d621429284dbda9472e35bea43a7b9b6
SH256 hash:
4ef7c5df104c0b2d9c1f7cb4cc7cf36ac0e6321e5d227dafe45f6b85a6523896
MD5 hash:
3cce1b26e9808ea47ed3a9bdb511f50c
SHA1 hash:
09d6382b71ba86486886e62c4a1520e9d8eeae31
SH256 hash:
0f95895a5ea5227304c10231e948c8f463d02a5d7d11097c25713d9672ed3c4b
MD5 hash:
4d17e2a8f29b7ed50573823b09184fe1
SHA1 hash:
fa71f2c5506d76e93d9ff420ebcded5ee1844175
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
YARA Signatures
MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.
| Rule name: | ach_AgentTesla_20200929 |
|---|---|
| Author: | abuse.ch |
| Description: | Detects AgentTesla PE |
| Rule name: | INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu |
|---|---|
| Author: | ditekSHen |
| Description: | Detect executables with stomped PE compilation timestamp that is greater than local current time |
| Rule name: | MALWARE_Win_AgentTeslaV3 |
|---|---|
| Author: | ditekSHen |
| Description: | AgentTeslaV3 infostealer payload |
| Rule name: | win_agent_tesla_v1 |
|---|---|
| Author: | Johannes Bader @viql |
| Description: | detects Agent Tesla |
File information
The table below shows additional information about this malware sample such as delivery method and external references.
Comments
Login required
You need to login to in order to write a comment. Login with your abuse.ch account.