MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1a8c8bdbe643691a37a6b52f7d38cbbd0a66290f645ec0d08452bfc8a90ff89f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1a8c8bdbe643691a37a6b52f7d38cbbd0a66290f645ec0d08452bfc8a90ff89f
SHA3-384 hash: 8ddeaca5f63243b6d713f2b0171f1505baa6644a06a515e049a4d15fe15c835a68ae538fe62362b2d2ccb953189eebb4
SHA1 hash: bfdb45f0360665069ef0d4425a1cc34859000c78
MD5 hash: afb98659dcd277a203809de00b605cea
humanhash: bacon-east-hydrogen-hydrogen
File name:October Order confirmation _00999345678.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:727'040 bytes
First seen:2020-10-22 11:51:28 UTC
Last seen:2020-10-22 13:22:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'470 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:8R3HmLROZBnmTZ3sM4D5ukf46wJn1v5gXzKS0j/chwsZ+QV:uBmcD5ukQd5EuS0j/chDz
Threatray 2 similar samples on MalwareBazaar
TLSH 49F4E0A1EFA79B53E03DD7B96011112017F0A7A5E326D7BCBEE440D80B57E8C4666F22
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: server.sfsspharma.com
Sending IP: 188.225.83.149
From: FARM-AG<admin@ramaconcorp.com>
Subject: October Order Confirmation
Attachment: October Order confirmation _00999345678_PDF.rar (contains "October Order confirmation _00999345678.exe")

AgentTesla SMTP exfil server:
mail.impressindia.net:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74628/
Detection(s):
SecuriteInfo.com.Variant.Barys.11488.26821.31623.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Launching a process
Creating a process with a hidden window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/507042
Signature
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Found malware configuration
Initial sample is a PE file and has a suspicious name
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/1a8c8bdbe643691a37a6b52f7d38cbbd0a66290f645ec0d08452bfc8a90ff89f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-22 08:05:30 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=dkgixw7ginurun5gwuxx2oglxufgmkipmrpmbueekk74rkip7cpq._file
Verdict:
unknown
Similar samples:
06f143f2f9c6638d78f77f282959296fbec4d4dbd3b77029d91d3bb650201f5b
AgentTesla
ac4d58dc0ca5617911f7ff52953cec2eac9249963dbce3b2f682aeb6eb1baa77
AgentTesla
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201022-5nw1c28ntn/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
1a8c8bdbe643691a37a6b52f7d38cbbd0a66290f645ec0d08452bfc8a90ff89f
MD5 hash:
afb98659dcd277a203809de00b605cea
SHA1 hash:
bfdb45f0360665069ef0d4425a1cc34859000c78
Link:
https://www.unpac.me/results/a79e215b-25e4-4765-8760-b4368a7ddbb0/
SH256 hash:
bd08a9d6225b4ba6822e64c8aa8a452d724398166883f49f7dea279d8801bdf2
MD5 hash:
b75eebd0ca48147bb00a2df86cadf081
SHA1 hash:
8c9c2166e0f4c009ee56aae51ae591ee1cc475f7
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/a79e215b-25e4-4765-8760-b4368a7ddbb0/
Parent samples :
c6e31cea39a3aba66e0f5d716f58169797e37255f912d0187defbd912ec52331
1a8c8bdbe643691a37a6b52f7d38cbbd0a66290f645ec0d08452bfc8a90ff89f
SH256 hash:
8f8a066fabf465d4afb33bf265561c272add364be2d2872afce8c3ef40fc6234
MD5 hash:
8762e6875bb2314eb59eef7a03be9fbd
SHA1 hash:
b5a1a45cf9a2f47e4ced0559aa87b5a9641356ac
Link:
https://www.unpac.me/results/a79e215b-25e4-4765-8760-b4368a7ddbb0/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/a79e215b-25e4-4765-8760-b4368a7ddbb0/
SH256 hash:
804d3568d5dcf3e6d776ca5a78786fe5cc0de3c08b98d89a39f45f5dd30e4606
MD5 hash:
341beda580f0eeb78f0c37ad46807f77
SHA1 hash:
f85344efae1ea71eefd65316db6c6f31c881624a
Link:
https://www.unpac.me/results/a79e215b-25e4-4765-8760-b4368a7ddbb0/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar c17af2c4fcfc0f2f0898f96a8a166524ae0ab3ad6ddeaff21ef2d5a42c3a0c76

AgentTesla

Executable exe 1a8c8bdbe643691a37a6b52f7d38cbbd0a66290f645ec0d08452bfc8a90ff89f

(this sample)

  
Dropped by
MD5 7934cfe6437c714218a60c46d11d1ed8
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74628/
  
Dropped by
SHA256 c17af2c4fcfc0f2f0898f96a8a166524ae0ab3ad6ddeaff21ef2d5a42c3a0c76

Comments