MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1388d3dc65b5a8f05d05e9b00abb80d9cfb688d7aeabdce64fb81b298f74523f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1388d3dc65b5a8f05d05e9b00abb80d9cfb688d7aeabdce64fb81b298f74523f
SHA3-384 hash: a77d7f05d9326b6060451832820bef6b881797ff730eb4161298dac57ec459fe0deed42294ffe6e1b958c980f861dfc7
SHA1 hash: c172d237acf9c27ca2e63f62d21bc5b24012068e
MD5 hash: ca29f42523c4966749289de2b2002028
humanhash: burger-utah-bluebird-georgia
File name:8dwXac7VLkHtfXR.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:519'680 bytes
First seen:2020-12-01 09:57:38 UTC
Last seen:2020-12-01 14:30:58 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'662 x AgentTesla, 19'477 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:e4r7j4whhjZADj2p1z4a+cWb+H/d5U1+61ot8LF1TMvx2iJG3offjnms:e47hjZUj24a9fZ6y8v
Threatray 1'573 similar samples on MalwareBazaar
TLSH 0BB49DF8310179EFCA1BCAB9D6542C68AE6038775317C10AA65B04DA6A1DBD7CF148F3
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
3
# of downloads :
153
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/106200/
Detection(s):
Win.Packed.Generickdz-9800742-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/552058
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 325132 Sample: 8dwXac7VLkHtfXR.exe Startdate: 01/12/2020 Architecture: WINDOWS Score: 100 29 Found malware configuration 2->29 31 Antivirus detection for dropped file 2->31 33 Antivirus / Scanner detection for submitted sample 2->33 35 9 other signatures 2->35 7 8dwXac7VLkHtfXR.exe 6 2->7         started        process3 file4 19 C:\Users\user\AppData\...\QVCnPWseRBozgg.exe, PE32 7->19 dropped 21 C:\Users\user\AppData\Local\...\tmpDD2B.tmp, XML 7->21 dropped 23 C:\Users\user\...\8dwXac7VLkHtfXR.exe.log, ASCII 7->23 dropped 37 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 7->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 2 other signatures 7->43 11 8dwXac7VLkHtfXR.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 25 hrg-longbeach.com 68.171.212.80, 49734, 587 ASACENET1US United States 11->25 27 mail.hrg-longbeach.com 11->27 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 2 other signatures 11->51 17 conhost.exe 15->17         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1388d3dc65b5a8f05d05e9b00abb80d9cfb688d7aeabdce64fb81b298f74523f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-26 02:43:23 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=coenhxdfwwupaxif5gyavo4a3hh3ncgxv2v5zzspxanstd3uki7q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
366ec72f3e385fffc76a6750312ef73abb87afb3e9f04d0930c5053fe793f0d6
AgentTesla
4574055c204f272af805107051d06291970dfa5e1f05fafd268f17b499b3ebf8
AgentTesla
486d7c96b47e6a1278f06601b3cfb146a2a453cf2b4658036f4a392298195bf9
AgentTesla
48ec76cfb4b4ea2605a727eeb7314f5b724969764ce02b7e6937211948c5ccfe
AgentTesla
590d1a6a1fa00812284d4f5e4f47cb34d4965c79bfc9ec1741f2a8e14967719b
AgentTesla
686789301fea6358387eca5be159a65c666a6854e54df7b5a0f38f0e222abe88
AgentTesla
b1601867a9da1a51e59ddfc6c1d2d4cae7190945cbc163a04400a1b2b872aee8
AgentTesla
cc3f2040e16deb0a3a03c1c188b9ddf91b1caf746a4c8ebb1cc99c2ffda198ce
AgentTesla
ea4d7ae710b25f166a8d0a4254983d69ac60da4f6846bf912362c00f8e25c382
AgentTesla
f148b6ad99c39c47a48a82fc4959b98ccfed28b35556ea3e0f07d0b8911d5e15
AgentTesla
+ 1'563 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201201-12vtf6xkt2/
Unpacked files
SH256 hash:
1388d3dc65b5a8f05d05e9b00abb80d9cfb688d7aeabdce64fb81b298f74523f
MD5 hash:
ca29f42523c4966749289de2b2002028
SHA1 hash:
c172d237acf9c27ca2e63f62d21bc5b24012068e
Link:
https://www.unpac.me/results/06fea9fe-f442-4be9-858a-bb9844c463b2/
SH256 hash:
3bdd07a7a6064a10025889b45b6f9f09eadc952b17aa636831743f1bc727c3ad
MD5 hash:
c24007552cc0d297d1f2fc1d3aaf1ce0
SHA1 hash:
67bd9cdd84fa54b449694976ce4f3e442b3c779c
Link:
https://www.unpac.me/results/06fea9fe-f442-4be9-858a-bb9844c463b2/
SH256 hash:
cb951f1d2b5460456aad0d89cef1216d9be5e51784d11a92447d43e96177bd5e
MD5 hash:
8cd5d2014866f4ef60802ff1826998a6
SHA1 hash:
8ff75946905d0b117080cc5a07e6e0bbea4e9bbd
Link:
https://www.unpac.me/results/06fea9fe-f442-4be9-858a-bb9844c463b2/
SH256 hash:
c9186544de1f28f597c3ff013fa475d37d24dfa4fd14b143ea8cc4998e797062
MD5 hash:
d29e27c49bc361bbf125b0346759a4b2
SHA1 hash:
aa53a4451abc2f52078f0b77567cc0c8114cb28b
Link:
https://www.unpac.me/results/06fea9fe-f442-4be9-858a-bb9844c463b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/1388d3dc65b5a8f05d05e9b00abb80d9cfb688d7aeabdce64fb81b298f74523f

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip d688d4735ec3a7fe194f6a849487dab2a2d56c4868976b1ed25b8dd3e78d4ba6

AgentTesla

Executable exe 1388d3dc65b5a8f05d05e9b00abb80d9cfb688d7aeabdce64fb81b298f74523f

(this sample)

  
Dropped by
MD5 9c9144078de03ad7fb84a0ef2b26c1fc
  
Dropped by
SHA256 d688d4735ec3a7fe194f6a849487dab2a2d56c4868976b1ed25b8dd3e78d4ba6
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/106200/

Comments