MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 18c5a3095c046015c7ae1e35d3c1050ff08314d512b459ef78c8a9e443be57cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 14

Intelligence 14 IOCs YARA 2 File information Comments

SHA256 hash:	18c5a3095c046015c7ae1e35d3c1050ff08314d512b459ef78c8a9e443be57cd
SHA3-384 hash:	68e377eab8e74d1f949a4fdccacb34bca449b5584ebfe56b94be965fbbe8163284a08bffcdfc68a7307c9bf2a4b98c98
SHA1 hash:	b7beb1e6251dc2ee9d5f27eff4f596269c09fe97
MD5 hash:	b96f60ec341e84004be42b9fdffd428b
humanhash:	harry-harry-ohio-nevada
File name:	Johnson& Johnson 2022 -PO- 216238068.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	706'560 bytes
First seen:	2022-05-31 05:39:31 UTC
Last seen:	2022-05-31 09:34:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'205 x SnakeKeylogger)
ssdeep	12288:4rXpUSlB61512FRmAaJX09xzCYFo9Y6n18LJRhYT4kAyTxjbfI0YPbJ/:mXpUSlB61512LtI0P2ESY61ODOTGyTKp
Threatray	17'350 similar samples on MalwareBazaar
TLSH	T124E4123026384252CDBF1BFD6151A25523359256EB07FB2EEED08AD93CD339199072E6
TrID	64.2% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 11.5% (.SCR) Windows screen saver (13101/52/3) 9.2% (.EXE) Win64 Executable (generic) (10523/12/4) 5.7% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 3.9% (.EXE) Win32 Executable (generic) (4505/5/1)
File icon (PE):
dhash icon	70f8ecccece87070 (15 x Formbook, 9 x AgentTesla, 8 x Loki)
Reporter	lowmal3
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

agenttesla

ID:

File name:

Johnson& Johnson 2022 -PO- 216238068.exe

Verdict:

Malicious activity

Analysis date:

2022-05-31 05:40:36 UTC

Tags:

agenttesla

Link:

https://app.any.run/tasks/41ab1e4b-7368-4bd4-9130-9ec35e479ff0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/275586/

Detection(s):

SecuriteInfo.com.Trojan.Siggen17.60305.1183.19062.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Сreating synchronization primitives

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

obfuscated packed

Link:

https://www.filescan.io/uploads/6295aa356eb3ff3263432b30/reports/b0a5ca0a-1439-4dfe-a599-ec5e9bb8388d/overview

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Agent Tesla

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c87c2968-6df5-4b3f-b133-c342bd5380e2

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1003950

Signature

Adds a directory exclusion to Windows Defender

Found malware configuration

Malicious sample detected (through community Yara rule)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Uses the Telegram API (likely for C&C communication)

Yara detected AgentTesla

Yara detected AntiVM3

Yara detected Generic Downloader

Yara detected Telegram RAT

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/18c5a3095c046015c7ae1e35d3c1050ff08314d512b459ef78c8a9e443be57cd/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2022-05-31 05:31:59 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

17 of 26 (65.38%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=ddc2gck4arqblr5ody25hqifb7yigfgvck2ft33yzcu6iq56k7gq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

7e0e5a0e9b9098c0d8992cc30a373bc38465ce3dde2269d26f1c65cbbbc62bd7

AgentTesla

8283b086fa3d9a467712bb2bc822d2db194db33d49bd4a89d120283f9723461c

AgentTesla

82be1914ffbd988bb2f59e64904fa01296f8342bea5fb28a8acca31a70287229

AgentTesla

a9a3cf652bccfa1482aa9856a8c3ffe6ecd932d877f807cbe657130bd93f4de9

AgentTesla

+ 17'340 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/220531-gcv34abebq/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Checks computer location settings

AgentTesla Payload

AgentTesla

Malware Config

C2 Extraction:

https://api.telegram.org/bot1633482536:AAF1JIS_DaayovuRrLGy_POYaI3DRc2CrPY/sendDocument

Unpacked files

SH256 hash:

b91307eeae6495cc3202fb1ec39e3f58534be4b1a60795d0b31fd52c76f040d4

MD5 hash:

19f1df1e9b8f809b61dab4490cdc6e9c

SHA1 hash:

9e2e47b1ae0d94e894a88ce28a7c8a7c1a00e8ef

Link:

https://www.unpac.me/results/82085125-8944-45c4-b8a9-7b3e38032692/

Parent samples :

827774cd3d42753b5a959a706a3ae0d989cd6b1cdb9eb54590acdc37f086d4b4
5509e143021f95074f9cde2dac4d79960710adb794bb1cdf57582be08681c3bf
57191284c75940f3a637266acc38d3a503ab97a52c9d99a0a85ff61d27420b6f
44adde49a051c923e1ed89d0adfa105fb66f85bebe630f625c29e25f93da3043
604c52301a76a47042112a3a7fca37f1c6c205a0888a6e28c5555406c55b2279

SH256 hash:

902ebd0e2672b56c87d4d2384be3c23f871b11a3a75170de77aed01dacfeb5b2

MD5 hash:

f8249b0c14607134be089f00803b42da

SHA1 hash:

680de7c7076b8855c6cb74452e86a63f7a80e53e

Link:

https://www.unpac.me/results/82085125-8944-45c4-b8a9-7b3e38032692/

SH256 hash:

f78e572790ec4957a2468199203ac6872cc2b0476c0021fa1133ea759126d89a

MD5 hash:

56fca32b5e3a75d74b8c21a84c3f7217

SHA1 hash:

1f76b27825ec8204dc282b972f783bee9621c207

Link:

https://www.unpac.me/results/82085125-8944-45c4-b8a9-7b3e38032692/

SH256 hash:

879c29560b21be7d9b69ca27ca4756df86e080fa3e34cb191aad5cb1e5f05504

MD5 hash:

30b6a54a992eae921a2eb8c5ea130911

SHA1 hash:

1c83f0319bffe007077c6656418c9b7344d5affe

Link:

https://www.unpac.me/results/82085125-8944-45c4-b8a9-7b3e38032692/

SH256 hash:

18c5a3095c046015c7ae1e35d3c1050ff08314d512b459ef78c8a9e443be57cd

MD5 hash:

b96f60ec341e84004be42b9fdffd428b

SHA1 hash:

b7beb1e6251dc2ee9d5f27eff4f596269c09fe97

Link:

https://www.unpac.me/results/82085125-8944-45c4-b8a9-7b3e38032692/

Malware family:

AgentTesla.v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/18c5a3095c04/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/18c5a3095c046015c7ae1e35d3c1050ff08314d512b459ef78c8a9e443be57cd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.