MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 14cfd67c3c951abc14be2cd169d09d7361d346131438ffa7d83fcb63cb9e2a2c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 4 File information Comments

SHA256 hash:	14cfd67c3c951abc14be2cd169d09d7361d346131438ffa7d83fcb63cb9e2a2c
SHA3-384 hash:	904d7125d8c471a8df4825fa9b07fef86ce8f3d356c4d749875fada5eade240c639bbae8458ea5696932ab051d265ef9
SHA1 hash:	87f70ac05f914df3a83deb314b3729e9211ac6b6
MD5 hash:	2be2bd813f07842576f03aa5d7270f91
humanhash:	low-ack-moon-burger
File name:	DA01-19415_Payment.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	734'208 bytes
First seen:	2021-02-16 14:37:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:vu+IcYvgtas4HWrp+t12pjskBiIaRG3Nd//XGM5EPJrl7nt83Tt0OyOa:G+W4tasGWNK2dJaQ3/XGyU9l7t0B0e
Threatray	2'655 similar samples on MalwareBazaar
TLSH	90F4120276AC6F66F83E9BF67935211443F9AD2B29A0F61D9DC150EF1822F444B61F83
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

DA01-19415_Payment.r09

Verdict:

No threats detected

Analysis date:

2021-02-16 13:01:00 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/fcacffef-b5b8-48b5-9ddc-d5249e448224

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/117357/

Detection(s):

SecuriteInfo.com.Trojan.Packed2.42845.UNOFFICIAL

Sanesecurity.Rogue.0hr.20210216-0607.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

80 / 100

Link:

https://www.joesandbox.com/analysis/609046

Signature

.NET source code contains very large array initializations

Binary contains a suspicious time stamp

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/14cfd67c3c951abc14be2cd169d09d7361d346131438ffa7d83fcb63cb9e2a2c/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-02-16 02:11:43 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 29 (72.41%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=cth5m7b4sunlyff6ftiwtue5onq5grqtcq4p7j6yh7fwhs46fiwa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b15f992f5339280a6ffcd88e12cdbd358f3fd2ea797ec96036d2d8cf62210d6

AgentTesla

1dba88d2a711e0efb588cb9465a78513b45c80736ca55b31a678993eb5d89152

AgentTesla

5d9938c5f5b37b02eba6c35969a6e8a9b58f63c38e0381e267bb1809dec2ba23

AgentTesla

63adb2924e560b5372169c820684773bba83fe0ab3e0b51ecf3192b0cda9d774

AgentTesla

872243dcfd043d984136c2be7ab859d8d2480be48bba92ef3236d6b45fd1c9f4

AgentTesla

8f61c978bb49ad072955763d7591104d967c7ac3380d8ef1157bf5e158f79770

AgentTesla

aeed73db1f8a4bff2294235f9175e96d38f2890cd8a477fc9d33f744d997a240

AgentTesla

b996aa93cfd2549ee1548a4940194b421808975059805614ef9b40bb5e75c8d1

AgentTesla

f1eda024214adb75fe2aa99abd7b2c8e8cecce443d80a0305a916bb8e03a2bf8

AgentTesla

+ 2'645 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

5/10

Tags:

n/a

Link:

https://tria.ge/reports/210216-znjll5d87s/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Unpacked files

SH256 hash:

2ec41720b412f91f91daaefea38007449491b2c016238aa8f23b6866c89bc788

MD5 hash:

987ce346069cf47535e5ac57265c7228

SHA1 hash:

d0085325ed78fcac6d1f605753237abd1c40db22

Link:

https://www.unpac.me/results/2d146aba-7ed0-47b6-aba6-6695a2423cd7/

SH256 hash:

c98631f3d6938e3b77cb78507ed591d11c20cfc4090c5387d18afa54a3c0f306

MD5 hash:

ee18590612381f658fe3596085a9a5ce

SHA1 hash:

c16c30f86b16f4381a6aaa60e2f006c56ee4c20a

Link:

https://www.unpac.me/results/2d146aba-7ed0-47b6-aba6-6695a2423cd7/

SH256 hash:

6eed91473e464232031eb7635e64cdd95810d8d27c17d1cf4b9b9464380a65a5

MD5 hash:

50a74c3f65f7863109494c4a87684816

SHA1 hash:

5fdf0cdba1b7818fdd4161a29cc326e0a1a8ac32

Link:

https://www.unpac.me/results/2d146aba-7ed0-47b6-aba6-6695a2423cd7/

SH256 hash:

14cfd67c3c951abc14be2cd169d09d7361d346131438ffa7d83fcb63cb9e2a2c

MD5 hash:

2be2bd813f07842576f03aa5d7270f91

SHA1 hash:

87f70ac05f914df3a83deb314b3729e9211ac6b6

Link:

https://www.unpac.me/results/2d146aba-7ed0-47b6-aba6-6695a2423cd7/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/14cfd67c3c951abc14be2cd169d09d7361d346131438ffa7d83fcb63cb9e2a2c

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/117357/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample