MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10c1a96815bd0c7be46492ca8374f6ba3abfc34ac5a12a18b9b984c8f1859959. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 6 File information Comments

SHA256 hash:	10c1a96815bd0c7be46492ca8374f6ba3abfc34ac5a12a18b9b984c8f1859959
SHA3-384 hash:	6114a16603ebe803c5379d002b52256a01b2ef55b3333665332d9fb197d0990def601aa6d7b72072e4d6c0b8f51986e0
SHA1 hash:	6f7f116099dcba559bccf87bbbccd015b5a2a8f0
MD5 hash:	f934a9535cfe377c899c96ac4a620fe9
humanhash:	south-india-harry-wisconsin
File name:	example of design.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	755'648 bytes
First seen:	2020-10-16 13:46:36 UTC
Last seen:	2020-10-16 15:15:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:igD/3Jrpq+AKa2kJ/Su3NR0GwY6qFp387Eq:VD/3dD7ZkJ/Lfp6q87Eq
Threatray	326 similar samples on MalwareBazaar
TLSH	97F47CB16BDDD46FC66A327151B680C1B6671EC66BA0C60F63DAB30C0E34516AF1F31A
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mahadewa.dua.rumahweb.com
Sending IP: 103.253.212.207
From: Tara <sale01@iokoi.xyz>
Subject: Re: Spring and Summer Demand
Attachment: example of design.zip (contains "example of design.exe")

AgentTesla SMTP exfil server:
smtp.yandex.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

102

Origin country :

n/a

Vendor Threat Intelligence

Gathering data

Detection(s):

SecuriteInfo.com.ArtemisTrojan.7562.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a file in the %temp% subdirectories

Creating a window

Unauthorized injection to a recently created process

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/493736

Signature

.NET source code contains potential unpacker

.NET source code contains very large array initializations

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/10c1a96815bd0c7be46492ca8374f6ba3abfc34ac5a12a18b9b984c8f1859959/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-16 10:54:30 UTC

AV detection:

24 of 29 (82.76%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=cda2s2avxughxzdeslfig5hwxi5l7q2kywqsugfzxgcmr4mftfmq._file

Verdict:

unknown

AgentTesla

1a01e86a4f2ef09515cafe4f440a88b1c6c8155c81b2b151e5a53262c7cbf987

AgentTesla

2b32f6ada2947da4bf5b17543971fb26fd3e0353734ef9270351dfe142fd1d72

AgentTesla

46db525106701a4871ab4c890b7822426dfa9232002388f74fc504ac70626210

AgentTesla

842414bc4591b055c9e601ce5e2af6b41070c945c6e9c7f916c84d84c12864e4

AgentTesla

914712c702b94abb26e0d1edbd54712d62a2fdb6cfbc9bd41ac8bcb84296358f

AgentTesla

b7f9546fa9fb928d856b69a70174d693a84c641ad193e88e48c07cdb92751e03

AgentTesla

cd219d174787da267de139896f3b211f21f31e0d3dc8dfe334f18ddf203d8e0b

AgentTesla

d747f645084c779381f77d3ce8de9274a1b21947ab117b88b0b00d0f39af6e93

AgentTesla

e305b3819b013356d630aeae5f76be5ed4632bd99b237bf820905d16272c161e

AgentTesla

+ 316 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

keylogger stealer spyware trojan family:agenttesla

Link:

https://tria.ge/reports/201016-xjq75cfqk2/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

10c1a96815bd0c7be46492ca8374f6ba3abfc34ac5a12a18b9b984c8f1859959

MD5 hash:

f934a9535cfe377c899c96ac4a620fe9

SHA1 hash:

6f7f116099dcba559bccf87bbbccd015b5a2a8f0

Link:

https://www.unpac.me/results/881e8878-3ec4-4ff9-9270-31522f6f25e7/

SH256 hash:

f02033a0e7e4039ed985574b19bc9758895ed16d35c90d601b0c311e333e9a92

MD5 hash:

aff444fd537c8338f746e8e03c564b65

SHA1 hash:

101f17e41bfab48e8575c1f25f77505de5bb406d

Detections:

win_agent_tesla_w1

Link:

https://www.unpac.me/results/881e8878-3ec4-4ff9-9270-31522f6f25e7/

Parent samples :

7b4e6c16b70608c5c744d049dd29c423d49daf4ff5efcd52dde5de0c57b130ce
10c1a96815bd0c7be46492ca8374f6ba3abfc34ac5a12a18b9b984c8f1859959

SH256 hash:

30140c3bf5874d7d184b15513016f9de1524ae95a5efe9a1cb15bad6d6936d64

MD5 hash:

03847d82611bc6461cbb99ca768828f1

SHA1 hash:

39859a3fd3326520dfd1ed10456bb227933a8871

Link:

https://www.unpac.me/results/881e8878-3ec4-4ff9-9270-31522f6f25e7/

SH256 hash:

19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267

MD5 hash:

811864a0b06c529af894a7fec6ddbf47

SHA1 hash:

d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2

Link:

https://www.unpac.me/results/881e8878-3ec4-4ff9-9270-31522f6f25e7/

Parent samples :

afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb

SH256 hash:

cc68e3eb8bccc4a249ec5b6f7d83cb2230442040a398aa362c30bfa520987bc5

MD5 hash:

0c74f2c28837f15bd9481236e4fff068

SHA1 hash:

d6aaa270e7cde6512b8861d725556433b7da78b9

Link:

https://www.unpac.me/results/881e8878-3ec4-4ff9-9270-31522f6f25e7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Legit

Score:

0.00

Link:

https://yomi.yoroi.company/submissions/10c1a96815bd0c7be46492ca8374f6ba3abfc34ac5a12a18b9b984c8f1859959

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	AgentTesla_extracted_bin Create hunting rule
Author:	James_inthe_box
Description:	AgentTesla extracted

Rule name:	AgentTesla_mod_tough_bin Create hunting rule
Author:	James_inthe_box
Reference:	https://app.any.run/tasks/3b5d409c-978b-4a95-a5f1-399f0216873d/

Rule name:	Agenttesla_type2 Create hunting rule
Author:	JPCERT/CC Incident Response Group
Description:	detect Agenttesla in memory
Reference:	internal research

Rule name:	CAP_HookExKeylogger Create hunting rule
Author:	Brian C. Bell -- @biebsmalwareguy
Reference:	https://github.com/DFIRnotes/rules/blob/master/CAP_HookExKeylogger.yar