MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960
SHA3-384 hash: b74049c4d024bb4287e8809960ed705038f3b632f8be42af7cc6629ce85df59d93213b59ad352fa9b250961d11f986c0
SHA1 hash: 013aa99862c45afe518018a4ca5d8b230f94d0da
MD5 hash: b1843967b94d29f088ec35143ad94e6e
humanhash: potato-october-whiskey-nuts
File name:b1843967b94d29f088ec35143ad94e6e.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:421'888 bytes
First seen:2020-07-07 06:23:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 6144:IGYNxBeIIslR0QGVxLMJssAU6L/oNCXCsoS8wfpXC1:IGYUIIsPGVJ86LqCS/Lwfp4
Threatray 4'995 similar samples on MalwareBazaar
TLSH 3D94297711A78076C15C1334ECB10F0B3678D6351A92B299B55EA2EEDC1E78D8EF8368
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
76
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/21855/
Detection(s):
SecuriteInfo.com.MSIL.PSW.Agent.RUL.27897.UNOFFICIAL
Create hunting rule

PUA.Win.Downloader.Aiis-6803892-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
DNS request
Using the Windows Management Instrumentation requests
Creating a window
Reading Telegram data
Reading critical registry keys
Sending a TCP request to an infection source
Stealing user critical data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960/
Threat name:
ByteCode-MSIL.Infostealer.Agensla
Create hunting rule
Status:
Malicious
First seen:
2020-07-06 08:11:49 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=clmn5t7y4yuf667tefqslcax2npl62cmtw22zmtku6o5nrxjnfqa._file
Verdict:
malicious
Similar samples:
0b95b126cf983c7a26829e8355d66de10cc1e085a3a981703040269ce43f863a
AgentTesla
178cf2e50182606e000719ee8b7caa9c620950155542d10de6dd7eb5a2a34d01
AgentTesla
24c871a763e208ba82f7ce7df48fea42c962214954181dc72f17c9112cc74c5e
AgentTesla
256966058fb63c734b270b6842820287bb83a5895d0a14a5b66f52db037405fb
AgentTesla
429cefff743820eac9d12ba43fb0c12bd77b854330164a74b6450230a31928bc
AgentTesla
58556055a31ae8d4e6bc4afd7feaf61439ea03860546796f6a1bc2cd100625ce
AgentTesla
5a888d05804d06190f7fc408bede9da0423678c8f6eca37ecce83791de4df83d
AgentTesla
b23504990949945298994fe36a74f143e6534c45c9b7186451f46891e117da6e
AgentTesla
ca8194e9a1232e508619269bdf9a9c71c4b76e7852d86ed18f02088229b0f7c7
AgentTesla
e363126219327414e0ab73a7b053e3c25bcfd656ff7b3b1f5db6e86076a93986
AgentTesla
+ 4'985 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
discovery spyware
Link:
https://tria.ge/reports/200707-3xp4drna5a/
Behaviour
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks for installed software on the system
Checks for installed software on the system
Loads dropped DLL
Reads user/profile data of web browsers
Loads dropped DLL
Reads user/profile data of web browsers
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Agenttesla_type2
Create hunting rule
Author:JPCERT/CC Incident Response Group
Description:detect Agenttesla in memory
Reference:internal research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe 12d8decff8e6285f7bf32161258817d35ebf684c9db5acb26aa79dd6c6e96960

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/408183/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/21855/

Comments