MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 10d918945c8e40d54b370d251c45e8b57132323a8c24516575c3168075fbbcd0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 10d918945c8e40d54b370d251c45e8b57132323a8c24516575c3168075fbbcd0
SHA3-384 hash: 3f7eb7ed4a8dac969c788300ea352c9637ac2b528da548af223dee7c497e19542483572e2da2e6165d8eda02e4c6693c
SHA1 hash: 3fdca29e485c567d9572e4d7108780c7cb67e71a
MD5 hash: 502f5017ef981d1dc119d584d6512b35
humanhash: alanine-friend-sweet-seven
File name:DE09333552.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'048'064 bytes
First seen:2021-04-15 12:39:18 UTC
Last seen:2021-04-16 05:31:10 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:ZQ1rKJdwz4TbkKhzGgRS/VbsmdN6/MfAwBaJceJG1RQQV0pZwYf4Eq6IBp+:iN2TbrNGp9bsOwMfAF6wGUpZUEq6sp+
Threatray 3'951 similar samples on MalwareBazaar
TLSH F1255B9B62F46E16F0BE5773806330C453FEAC47DB16C2BD3DD150A92D62A81A62DF12
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DE09333552.exe
Verdict:
Suspicious activity
Analysis date:
2021-04-15 13:08:35 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/32e8ef07-6e46-48f8-820a-f9e9e03caded

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/134892/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.646-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a custom TCP request
Sending a UDP request
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/677554
Signature
.NET source code contains very large array initializations
Found malware configuration
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/10d918945c8e40d54b370d251c45e8b57132323a8c24516575c3168075fbbcd0/
Threat name:
ByteCode-MSIL.Infostealer.Coins
Create hunting rule
Status:
Malicious
First seen:
2021-04-15 06:38:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
104
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cdmrrfc4rzankszxbusryrpiwvytemr2rqsfczlvymlia5p3xtia._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1be6dc89ef7b01bdc6563c86c36e84b7560d85bab73d7186e2f223550461c5c4
AgentTesla
2ed9419745b241cf13d90594e91ea9c8a5701181e1b2c2e3ccdbd91f5b8e9ed8
AgentTesla
3b38da2795ab7148dabc9e9c5326305725793b0832a8c608f8387f0089914145
AgentTesla
3bb4ba1af57ec635228b43c11b676612091f37e15b6578fca48e9a14195a9cd5
AgentTesla
410f33042e18da4bbcc65d94bd6c7cbe7da6643917f89ce38aa08130b8a20f26
AgentTesla
740b1a3850fd5c6aedde9f7e415c9c7dd5aa38b38aad5922c16d9b84995d196a
AgentTesla
8392af9cff73aab10a60befd359d4ca2638d6a936071285579147303bb453497
AgentTesla
9c7002e97c59c4c190abb09e373a5f1010b4790dbcb714e792538e73820d5609
AgentTesla
d21652e5c2460a23b225dc870a0ca5366f341ee079f63edf01e85bd8fc43f4ac
AgentTesla
ef084a00da3c5eb39c1edf91d451876e889b75903f79020b06e8f821a2b51a08
AgentTesla
+ 3'941 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210415-97zrnwfsd2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Maps connected drives based on registry
Checks BIOS information in registry
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
5e0f3da625a479a5e7e807b5f09c889d95474139410b312ba3a39bcb05976729
MD5 hash:
3d20c2ea9ac04e1707f853bb1780bc18
SHA1 hash:
805e90b023eb92d44bbe11daefce6edbe872cb74
Link:
https://www.unpac.me/results/6383d140-1a91-44f7-a061-0af8d70ed1d8/
SH256 hash:
10d918945c8e40d54b370d251c45e8b57132323a8c24516575c3168075fbbcd0
MD5 hash:
502f5017ef981d1dc119d584d6512b35
SHA1 hash:
3fdca29e485c567d9572e4d7108780c7cb67e71a
Link:
https://www.unpac.me/results/6383d140-1a91-44f7-a061-0af8d70ed1d8/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/10d918945c8e40d54b370d251c45e8b57132323a8c24516575c3168075fbbcd0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 2a73be7051b0ada8252c9ab6aec9777a0cbcf477a5551051fca150b05d80d174

AgentTesla

Executable exe 10d918945c8e40d54b370d251c45e8b57132323a8c24516575c3168075fbbcd0

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2a73be7051b0ada8252c9ab6aec9777a0cbcf477a5551051fca150b05d80d174
Cape
Cape
https://www.capesandbox.com/analysis/134892/

Comments