MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1
SHA3-384 hash: 326d973eb0351bf0437c8e4e6e9b9bd2001f4e6af6bc53c4fcf56b4f8d4041ff62eafb2f2103e594d60b1b7be9ea2fee
SHA1 hash: 5715e9d57867f2a879e22e7ec8c1a43d764f308a
MD5 hash: 0e6172f9e849b709f365f06a7c13346d
humanhash: river-bacon-bravo-queen
File name:Request for Quotation For Tender No 4466839.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:626'688 bytes
First seen:2020-09-18 21:42:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f01e0f86270b7f3e5d91b31f21985535 (5 x AgentTesla, 2 x Loki, 1 x AveMariaRAT)
ssdeep 6144:vlSZG2SnRgGTuKoQJ7PACIxRcddo7rrMr/q3YSAnadHa7QNz135UtY/fM5buC/v4:MY2SRgOu9uO2dm4rqoXa3p11w/v/h8ya
Threatray 117 similar samples on MalwareBazaar
TLSH 83D4AF66B1D04433C1632E3C9D4B53B8A86BBE11391B5886FBE5EF4C5F39681353A287
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/63549/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

SecuriteInfo.com.Variant.Zusy.313289.23925.21257.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/470472
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-09-18 20:33:21 UTC
File Type:
PE (Exe)
Extracted files:
39
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=cjjahsjkwtnxnxtuboolftszbc57n3ugqzefljeqhywvyf4vhliq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
0863c38d844a42375b3057d52bc75e6d67a3aa202bd5b5e14079929147c68b89
AgentTesla
2434b60331e372fc347f46ac1ede21a078fc11ddea75c52679ab4c49cd3c12c7
AgentTesla
37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b
AgentTesla
3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b
AgentTesla
614052880e43375009bd02fcb10e8399d2e855cff58fc27ad94711dee1973186
AgentTesla
7301fa4edc89a5bd4a18479ebf5b88460ee35b4631e147a8754866a58bcae873
AgentTesla
93d22d39577ab983c75badd9019b57420a4e2bfc300d6a37d90885d823396058
AgentTesla
b98ed6a71c93bc3722112643bea2bbe8767e016d807e0463266ee2fd47ad9e80
AgentTesla
c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd
AgentTesla
c50e9e99a365c6770569ca96ac2482b3bd82f946d41946e836a010ca429a7a4d
AgentTesla
+ 107 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200918-r4lmc7s4pa/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/125203c92ab4db76de740b9cb2ce5908bbf6ee86864855a4903e2d5c17953ad1

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/63549/

Comments