MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1cf6a36e578cec30303b5daf5c545e6b139419c99f2771bf40179bb45756e92b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA File information Comments

SHA256 hash:	1cf6a36e578cec30303b5daf5c545e6b139419c99f2771bf40179bb45756e92b
SHA3-384 hash:	60896a22135df057b588b0ddecdaa3c02c379ce6db3531e37a5897aa8f0739703be2787e98bf6f52b746a0246c8758c4
SHA1 hash:	578c6597dfa19be767991e2b8832d78714d41363
MD5 hash:	d46403d051be3eb5f7755c9128ef5986
humanhash:	cardinal-shade-carolina-robin
File name:	7840134D.SCR
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	913'920 bytes
First seen:	2020-11-18 06:14:03 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:J0LhOZUog4/bt8LFUcc6+qHfRSiUI4MMCkHwquX43vwvLBJjd5Sy7XnYkM:BV/x8J+q/4DkxYOKo9V7YkM
Threatray	13 similar samples on MalwareBazaar
TLSH	C715CF322AB6EFA1C6790BFB8251B1140FBE5E676068F65C2CC570DE1DB4F044A41EA7
Reporter	fabjer
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

115

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

Win.Malware.Smdd-6922230-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Using the Windows Management Instrumentation requests

Enabling autorun by creating a file

Result

Verdict:

SUSPICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.adwa.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/540367

Signature

Found malware configuration

May check the online IP address of the machine

Modifies the hosts file

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Scheduled temp file as task from temp location

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/1cf6a36e578cec30303b5daf5c545e6b139419c99f2771bf40179bb45756e92b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-11-18 01:40:37 UTC

AV detection:

24 of 28 (85.71%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=dt3kg3sxrtwdamb3lwxvyvc6nmjzigojt4txdp2ac6n3iv2w5evq._file

Verdict:

unknown

AgentTesla

685222a6d5d41bc23a1e4637ab8c3ed19d6075faaab2730d0f8599a24cd1c0a2

AgentTesla

7364ac8ee7f693d8b81815103c39f2d92b018b511aa17918282954dbce451478

AgentTesla

786f93f0f40176b4719fef2038c6f1f87ae6aee5d2293fcd03fbf52679cb75d6

AgentTesla

7d3beeb2ab6a13038bce7d962a19a4d004a4526934823e23b8f1c5f68ed1800e

AgentTesla

8e8b84c841ade24a5d37953d56881e5a4e6bfa3eb133621dc835f92e51b6df79

AgentTesla

96036d8808f95f6746d1d95dc3f157b5b7b4224cc5d01b15162ce7f048d81be7

AgentTesla

ca3cc0fc804c69584801fc33a39effafb6b2a747f4ef0958348cc13eaa2c5e3f

AgentTesla

ce431d943b7df67690c0c89d1556a8d9ca222a78568d56c8c3aeaccc74f40fd4

AgentTesla

e97151ce51e9463bd45ad41571141614fc0ffc8a8cbf2c74f36c20028a769f41

AgentTesla

+ 3 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/201118-mtn3ntkhks/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies service

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops file in Drivers directory

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso cc4a7a3281539a4baa7ed7d449f52c85c83b37a02875b7c004c594b771ef44d4

AgentTesla

exe 1cf6a36e578cec30303b5daf5c545e6b139419c99f2771bf40179bb45756e92b

(this sample)

Dropped by

SHA256 cc4a7a3281539a4baa7ed7d449f52c85c83b37a02875b7c004c594b771ef44d4

Delivery method

Distributed via e-mail attachment

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample