MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a2d575b11f10dbfdedc130abd8730b77212a24188a5bf9695458c9733f2381f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	1a2d575b11f10dbfdedc130abd8730b77212a24188a5bf9695458c9733f2381f
SHA3-384 hash:	e065c2190861b7772136825b423f1d34534fbaaaf3f1fe4593433d2ea196d3b90d9cdebce64781a28d69dee61dcde11b
SHA1 hash:	7438660e5eb405a4d6bd3ef044bad2664fa26cbd
MD5 hash:	500ca612ea619a8568560841a97c4f24
humanhash:	jersey-oranges-may-crazy
File name:	image001.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	973'824 bytes
First seen:	2020-12-04 16:06:12 UTC
Last seen:	2020-12-04 18:05:53 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:WBDN6Zr5k8CE70r2NKqpabgRhgyNflEGNDE:WBkr6xE70iNKiTggdER
Threatray	1'688 similar samples on MalwareBazaar
TLSH	64256CAC726072EFC867D462DEA82C68EA5174BB931F4103902715EDDE4E897DF244F2
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

233

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106782/

Detection(s):

Sanesecurity.Rogue.0hr.20201204-1606.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Using the Windows Management Instrumentation requests

Creating a window

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/555831

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

PE file contains section with special chars

PE file has nameless sections

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/1a2d575b11f10dbfdedc130abd8730b77212a24188a5bf9695458c9733f2381f/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-04 16:05:41 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

20 of 28 (71.43%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=diwvowyr6eg37xw4cmfl3bzqw5zbfisbrcs37fuviwgjom7shapq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99

AgentTesla

25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f

AgentTesla

2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51

AgentTesla

a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0

AgentTesla

bda798b8e628a9b364450614d203b2d1540155c102eddc36ad8a6ebfba18aca8

AgentTesla

c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec

AgentTesla

ccf7cbe501b4e91d8f020fb061bbb24167316704bb9566aed6a6a5bc36df3d73

AgentTesla

ce2c29bbd18352557dd6fb16e294265d66d8d13e6d0586ef8030bbeb28e0cc97

AgentTesla

f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61

AgentTesla

+ 1'678 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201204-dyep8dver6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

3f096433f5712823460eb9ab65833b92775b1d97fa422ef327e46e82a757a73a

MD5 hash:

2ef77b9c3b50d03480bd013888903ca8

SHA1 hash:

9b52d4d9d7be1bca53a918d19df8311147e315a0

Link:

https://www.unpac.me/results/19cab09a-f43e-4b3a-86f3-6f2512473389/

SH256 hash:

44712b95192bbcd51479cf1f87291d745802b2316716905d0ef80d0699e13628

MD5 hash:

813c1fd230d98cd0b7718c51b76bbd67

SHA1 hash:

b8c81e314361e4962219f00368909e00096373cc

Link:

https://www.unpac.me/results/19cab09a-f43e-4b3a-86f3-6f2512473389/

SH256 hash:

e2bced7d4ecdbfb30e2ec577e8cf5763baf79003abd4639b01a94d9f59c61612

MD5 hash:

3f15938fe7adbe3d461d1ab60b2ce99b

SHA1 hash:

c7d82935db54c6e21b8fc1575d685b99cf8a22d9

Link:

https://www.unpac.me/results/19cab09a-f43e-4b3a-86f3-6f2512473389/

SH256 hash:

1a2d575b11f10dbfdedc130abd8730b77212a24188a5bf9695458c9733f2381f

MD5 hash:

500ca612ea619a8568560841a97c4f24

SHA1 hash:

7438660e5eb405a4d6bd3ef044bad2664fa26cbd

Link:

https://www.unpac.me/results/19cab09a-f43e-4b3a-86f3-6f2512473389/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

0.75

Link:

https://yomi.yoroi.company/submissions/1a2d575b11f10dbfdedc130abd8730b77212a24188a5bf9695458c9733f2381f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/106782/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample