MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12500a861997fbc41a1d65ddf8de97d82c2dbe0c7c252bcf2513ebc92372f88e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12500a861997fbc41a1d65ddf8de97d82c2dbe0c7c252bcf2513ebc92372f88e
SHA3-384 hash: 0d7308049df8b1d9afabfa589716e237b56a9d927bd2cd1d6abfe537d2188dc943af1efce6d1413866e1ad3e2e3b9714
SHA1 hash: 5a88ab5d13fdfea9ebd3920cab189775d05e5d1e
MD5 hash: e173d0e3f346844bdee7ffecbdd32294
humanhash: magazine-summer-autumn-diet
File name:dWSU.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:852'992 bytes
First seen:2020-10-09 09:53:38 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'602 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:Z5pdR+L01vflXKcBhZQHSxTFbpuGYX9piV0Nm9O3yfy5DGlCfqI0rUIqbzymwdtD:3IGLAZX9piV3G5DGlCerUIczymQtpzF
Threatray 1'088 similar samples on MalwareBazaar
TLSH 8105D0197B56EB8FC72D4F7A840344249BF0D5339206F3CB7ED669E8899A3C98B11253
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/69521/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Unauthorized injection to a recently created process
Creating a file
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/486597
Signature
Found malware configuration
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 295743 Sample: dWSU.exe Startdate: 09/10/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Multi AV Scanner detection for dropped file 2->33 35 Sigma detected: Scheduled temp file as task from temp location 2->35 37 7 other signatures 2->37 7 dWSU.exe 7 2->7         started        process3 file4 21 C:\Users\user\AppData\...\jKDdvhAeLgmB.exe, PE32 7->21 dropped 23 C:\Users\...\jKDdvhAeLgmB.exe:Zone.Identifier, ASCII 7->23 dropped 25 C:\Users\user\AppData\Local\...\tmp3067.tmp, XML 7->25 dropped 27 C:\Users\user\AppData\Local\...\dWSU.exe.log, ASCII 7->27 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 11 dWSU.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        17 dWSU.exe 7->17         started        signatures5 process6 dnsIp7 29 smtp.privateemail.com 199.193.7.228, 49769, 587 NAMECHEAP-NETUS United States 11->29 43 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->43 45 Tries to steal Mail credentials (via file access) 11->45 47 Tries to harvest and steal ftp login credentials 11->47 49 Tries to harvest and steal browser information (history, passwords, etc) 11->49 19 conhost.exe 15->19         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12500a861997fbc41a1d65ddf8de97d82c2dbe0c7c252bcf2513ebc92372f88e/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-09 09:53:29 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjiavbqzs754igq5mxo7rxux3awc3pqmpqssxtzfcpv4si3s7cha._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1957889d188ba3fd7df0ac9e3fe2505d5bd8576865fb96907fc52ad4517db8b1
AgentTesla
1cee45036baef97e9be4d746253f962163c4addc173c3b1d401d54d16b66c36d
AgentTesla
2df3cf76977b778b4ffe30de57192b6db63debdd422a296d788f8552be32181f
AgentTesla
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
AgentTesla
3d28762fd17d3315647ac901942b234cbacca781014965398a2079ccc6766337
AgentTesla
5b48475bbc32e2dbd6ebfb746071c6192e57dfdfcfc0cfb1ae9f381663728537
AgentTesla
a0062b106277324b51718baac12082f12f735f370173fa3073abf70b86b016be
AgentTesla
c82132cbb99629877f81482148e3667c3c64b376d6c7486475dc25dd25a64b9e
AgentTesla
dcbcaf3bd263e87cfa4c5355c0c3236552bef553cd9fd4bec8e57200b71a23a4
AgentTesla
f974f658397b27bbc57a78873cfbebe57a8ff2742fc9b8bc4a69bc6736625099
AgentTesla
+ 1'078 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201009-1n4k35t25e/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
12500a861997fbc41a1d65ddf8de97d82c2dbe0c7c252bcf2513ebc92372f88e
MD5 hash:
e173d0e3f346844bdee7ffecbdd32294
SHA1 hash:
5a88ab5d13fdfea9ebd3920cab189775d05e5d1e
Link:
https://www.unpac.me/results/4bb4c344-eeec-4508-b705-dd5522ccb92e/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/4bb4c344-eeec-4508-b705-dd5522ccb92e/
SH256 hash:
e86a4c2aa642b659488c7b5dc3b241d17b9e43cd678d7856e69e14e92bce2836
MD5 hash:
2a001b048153a1e600faf211720fa84b
SHA1 hash:
02c2b850ebb9a8416ad7d36771e571b99761c4ce
Link:
https://www.unpac.me/results/4bb4c344-eeec-4508-b705-dd5522ccb92e/
SH256 hash:
f3dbb9fb24ee89a6d47651791858bafe61e1d1e0933a8480f46c493ff655e71d
MD5 hash:
f00f0da297eef5d18793b08a1ac2adb2
SHA1 hash:
2cb1ecea0c03dde0f9b633e84329ee5f136f6de8
Link:
https://www.unpac.me/results/4bb4c344-eeec-4508-b705-dd5522ccb92e/
SH256 hash:
7f69a1f0bc7790dbbc092c5b6f1813434a53ac5a313c4d17fb138da682752997
MD5 hash:
43595da6aa96eb5d6d7477b0eca451a6
SHA1 hash:
3a4f63467be0e73ad497584efbc38939e4286919
Link:
https://www.unpac.me/results/4bb4c344-eeec-4508-b705-dd5522ccb92e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12500a861997fbc41a1d65ddf8de97d82c2dbe0c7c252bcf2513ebc92372f88e

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/69521/

Comments