MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215
SHA3-384 hash:	9543d13b2874690e8efe5afaa44d9032d0143460ff960668f06f109699ae1f1173b0bcf812d85dde7b978fe8b01d4e63
SHA1 hash:	bc8b0d6f7e227368b05196776c54735a43e109d7
MD5 hash:	550a111b2ae9de51106eac88c505c419
humanhash:	enemy-video-cold-asparagus
File name:	PO#GEMINI_pdf.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	850'432 bytes
First seen:	2020-12-03 08:30:31 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'744 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	6144:bMdUX2XQ77qf55M28VWww1rTblsbyv5ox5jXBLkrZWDcM4lTwBBg:bMaX2XUqx5MObYzrTWrsDng
Threatray	8 similar samples on MalwareBazaar
TLSH	19059BF2FD07E489D06509F0C81ED28D9D62EF1B5769DC89A948F30955B2A0DCEC89F2
Reporter	abuse_ch
Tags:	AgentTesla scr

abuse_ch

Malspam distributing AgentTesla:

From: Marie van der Merwe <thandeka@kbcsa.co.za>
Subject: Order and delivery
Attachment: OVDM-ORDER_pdf.img (contains "PO#GEMINI_pdf.scr")

AgentTesla SMTP exfil server:
mail.gandi.net:587

Intelligence

File Origin

# of uploads :

# of downloads :

137

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106540/

Detection(s):

SecuriteInfo.com.Trojan.Inject4.6091.7640.331.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/554415

Signature

.NET source code contains potential unpacker

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for dropped file

Machine Learning detection for sample

May check the online IP address of the machine

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-03 08:31:08 UTC

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=c6ukdt2q7k4724can3vhvscjufnlnere73723xykolxavezteikq._file

Verdict:

unknown

AgentTesla

55948fede55c398fce76d97b8316d5da6f958b08746a33f0cdaf4e016f0a1e15

AgentTesla

623d707cab5c5dc378a5100018e29f88949f4ea4be4b34cc2fc36e1612b68100

AgentTesla

72072c06a5fe2aa1ebf6d2d0b8882c1e11565bed693b2cff1be63a228b26886b

AgentTesla

9b21045796c15c4348f79483c825882c491de047a0ca577e0eb6ba770c60e9f6

AgentTesla

9d4101435d5c761e583b31dd48ddcd5bce7081ae2e290f04330e6c4dbf954c92

AgentTesla

ac4bc198b74ee90e9ae296353856fe12fc688a42bdeb2b8b9b4f6c2923cd668a

AgentTesla

fd1fe7db423103d1067ccf7dec534ad9025025106238e3bbe1b45a52995b4294

AgentTesla

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201203-ht48ft5rza/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

6399cbe4472fa15014c0c52a479f81dd8d13d498256541e69ac4714592d92b12

MD5 hash:

bdc74a366fcd94d7d4352a54e5ea0907

SHA1 hash:

39287f88d4c72028e3a9b5ddbc7c61264624fe38

Link:

https://www.unpac.me/results/a6f5f9c5-8001-45a2-9804-e496c4e50b41/

SH256 hash:

c88a66cbf00b12c88e2b970b8bc220e970e8465e56098ced24e97d42be901b94

MD5 hash:

a60401dc02ff4f3250a749965097e13f

SHA1 hash:

3f22d28fd765f831084cb972a8bd071e421c26a1

Link:

https://www.unpac.me/results/a6f5f9c5-8001-45a2-9804-e496c4e50b41/

SH256 hash:

64e1df590205541ea514e7d148f7812e41b17f113d61bda5189ec8171bb60d85

MD5 hash:

d3cea0309708e7af3520dd4e0b76de75

SHA1 hash:

854b3e68d0d322871380c70d07ce7adf10b29422

Link:

https://www.unpac.me/results/a6f5f9c5-8001-45a2-9804-e496c4e50b41/

SH256 hash:

17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215

MD5 hash:

550a111b2ae9de51106eac88c505c419

SHA1 hash:

bc8b0d6f7e227368b05196776c54735a43e109d7

Link:

https://www.unpac.me/results/a6f5f9c5-8001-45a2-9804-e496c4e50b41/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 79f2f44319e8f915e8dc7ee7f660527690132f8f4355e9dd0934d3dc276c0af0

AgentTesla

exe 17a8a1cf50fab9fd70406eea7ac849a15ab69224feffaddf0a72ee0a93332215

(this sample)

Dropped by

MD5 165c11fd310d5ae8915ebd06faaa61e9

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/106540/

Dropped by

SHA256 79f2f44319e8f915e8dc7ee7f660527690132f8f4355e9dd0934d3dc276c0af0

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample