MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12b279cae78622ee760ccc4be44445388e916c93230b2991acf53ff6c8e68377. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12b279cae78622ee760ccc4be44445388e916c93230b2991acf53ff6c8e68377
SHA3-384 hash: df338efa6604b3423fad71f775f390d401cae4fd1645353607ed9dc670dbed12c851ea4c4aa179834ec9099a3bb4a1d7
SHA1 hash: 8602ad9f3467572e95d94811bf595b4066529f62
MD5 hash: 7a150cf1da525e0479fb06e59b2bfda6
humanhash: sad-cardinal-kentucky-florida
File name:DECEMBER ORDER.bat
Download: download sample
Signature AgentTesla
Create hunting rule
File size:3'309'752 bytes
First seen:2020-12-16 13:34:45 UTC
Last seen:2020-12-16 15:46:17 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'462 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 49152:UfcYzhnqMW/mGj30/oJBG3CiG9PtquQ04pQcA:UfcYzhn1W/m230/oJB+BG9PtquQ04ZA
Threatray 1'839 similar samples on MalwareBazaar
TLSH 73E5275C3C43309FB58A40B046EB66E892DA3119157127399CE7247CEA2DDAB7CDF872
Reporter cocaman
Tags:AgentTesla bat

Code Signing Certificate

Organisation:Bbdfbcbafcc
Issuer:Bbdfbcbafcc
Algorithm:sha256WithRSAEncryption
Valid from:Dec 14 19:13:12 2020 GMT
Valid to:Dec 14 19:13:12 2021 GMT
Serial number: 15351FC28A5AA00490DDB365A143EB8B
Thumbprint Algorithm:SHA256
Thumbprint: DB2B5B155E29524372E3AB23559022CC73946A49F311956CFACDB14747A2341D
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
3
# of downloads :
195
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
DECEMBER ORDER.bat
Verdict:
Malicious activity
Analysis date:
2020-12-16 13:35:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/ea2f0412-1e2c-4a17-a5d6-a6e73a365ae1

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.GenericKD.45014580.20042.1284.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/564272
Signature
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331220 Sample: DECEMBER ORDER.bat Startdate: 16/12/2020 Architecture: WINDOWS Score: 100 39 pastebin.com 2->39 45 Multi AV Scanner detection for dropped file 2->45 47 Sigma detected: Powershell adding suspicious path to exclusion list 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 11 other signatures 2->51 8 DECEMBER ORDER.exe 24 6 2->8         started        13 DECEMBER ORDER.exe 2->13         started        15 DECEMBER ORDER.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 41 pastebin.com 104.23.99.190, 443, 49736, 49769 CLOUDFLARENETUS United States 8->41 43 192.168.2.1 unknown unknown 8->43 35 C:\Users\user\AppData\...\DECEMBER ORDER.exe, PE32 8->35 dropped 37 C:\...\DECEMBER ORDER.exe:Zone.Identifier, ASCII 8->37 dropped 53 Creates an undocumented autostart registry key 8->53 55 Creates autostart registry keys with suspicious names 8->55 57 Creates multiple autostart registry keys 8->57 59 3 other signatures 8->59 19 powershell.exe 22 8->19         started        21 powershell.exe 14 8->21         started        23 powershell.exe 12 8->23         started        25 3 other processes 8->25 file6 signatures7 process8 process9 27 conhost.exe 19->27         started        29 conhost.exe 21->29         started        31 conhost.exe 23->31         started        33 conhost.exe 25->33         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12b279cae78622ee760ccc4be44445388e916c93230b2991acf53ff6c8e68377/
Threat name:
ByteCode-MSIL.Trojan.Vimditator
Create hunting rule
Status:
Malicious
First seen:
2020-12-15 03:24:54 UTC
File Type:
PE (.Net Exe)
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ckzhtsxhqyro45qmzrf6ircfhchjc3etemfstenm6u77nshgqn3q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0156cc74dc52bcb6c9e1ea57e4e68825fb45a506e17701895e056a677d413184
AgentTesla
2aa2a644cc059d9314a783e295e4c35102ffce374e2bf1b49f8fb8631ffdbb65
AgentTesla
606c4f2ce5137a68df332711e8bcc880e4c28c77c6974bac48f2826da93ae049
AgentTesla
69b3daa0773330e2607a293d7e268f6360c74f1a446a803944a00c8cd5162527
AgentTesla
7495c08fc81b009e27f348ba86ccec5ca51826e7f7e7fc74342f36a8d84020f9
AgentTesla
84afce79b516a2535b4f063e9dd9aef84aa6288bdc65c4fa5dbbba0bc06727ec
AgentTesla
8642bef0da90b39eff7e2f28570d28aa2a9aaabcd181c9f64bcfbdd331a606f1
AgentTesla
9efe8cef3127a10a3c0ee380a77298650e7a54e9e785d86f9871c00c2ad62bdf
AgentTesla
b3eb9d09d5bbdcbc7ce33fcf3863d74277d7ed3a229bb44da6baaa62b8595397
AgentTesla
ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97
AgentTesla
+ 1'829 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201216-dg47fkbdw6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
12b279cae78622ee760ccc4be44445388e916c93230b2991acf53ff6c8e68377
MD5 hash:
7a150cf1da525e0479fb06e59b2bfda6
SHA1 hash:
8602ad9f3467572e95d94811bf595b4066529f62
Link:
https://www.unpac.me/results/6eb1b088-fd48-4521-934b-984ddac80065/
SH256 hash:
7fc049f09b0694ad16a4bcb2adc307d65e12c105626376cf6ec20c280b624607
MD5 hash:
787db52db28cfae5e4294798a3e330a2
SHA1 hash:
88beaebc8edcf2c9333e645d7ddd8da0b8a77e6f
Link:
https://www.unpac.me/results/6eb1b088-fd48-4521-934b-984ddac80065/
SH256 hash:
2bc104d4c16d7db70d809227548ceef4e6718031bb3283107a25b1610d7f66e7
MD5 hash:
b2f5a71ec90a4714e9b5741ae6013786
SHA1 hash:
9be4449a5fed333b1456549a3f2ca7d5e210751c
Link:
https://www.unpac.me/results/6eb1b088-fd48-4521-934b-984ddac80065/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Nanocore
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/12b279cae78622ee760ccc4be44445388e916c93230b2991acf53ff6c8e68377

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 151780de003e4c3e6df80450146734a15a86d0e48e48e925fe093d5964231dca

AgentTesla

Executable exe 12b279cae78622ee760ccc4be44445388e916c93230b2991acf53ff6c8e68377

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 151780de003e4c3e6df80450146734a15a86d0e48e48e925fe093d5964231dca

Comments