MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 1d21fe93f7cc6898d25510b30ae921a1704780858f8610974a31aed7de457d70. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 1d21fe93f7cc6898d25510b30ae921a1704780858f8610974a31aed7de457d70
SHA3-384 hash: 2765bb8a8d2f1b41c3b4be1733e4bb5996ca6bafb4a286a6f166c0a1e65e970eaef1a7b7d84ad661a683509257aa71db
SHA1 hash: 84e2f866912360a2adbcdd1ffb89edc4b61e63bb
MD5 hash: 8ed67b15c0b6ac9a28e8912c92128fe1
humanhash: nevada-five-romeo-mountain
File name:BILL OF LADING SHIPPING DOCSPDF.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:288'768 bytes
First seen:2020-11-24 06:33:43 UTC
Last seen:2020-11-24 06:35:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'753 x AgentTesla, 19'658 x Formbook, 12'249 x SnakeKeylogger)
ssdeep 6144:XOqo00D75F7kUQaly81RvJqDt/n3/06idAVjPuv3N6d27auao08:XOq0D75FoUQa48Na7jPuv9Rau7
Threatray 44 similar samples on MalwareBazaar
TLSH 3654E045A1CCDAE6C815877E63A25D35022EB2BF59F6F74A300DE1736B223857D4260F
Reporter cocaman
Tags:AgentTesla scr

Intelligence

File Origin
# of uploads :
4
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %AppData% subdirectories
Using the Windows Management Instrumentation requests
Reading critical registry keys
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Stealing user critical data
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/545736
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/1d21fe93f7cc6898d25510b30ae921a1704780858f8610974a31aed7de457d70/
Threat name:
ByteCode-MSIL.Spyware.AveMaria
Create hunting rule
Status:
Malicious
First seen:
2020-11-24 04:14:58 UTC
File Type:
PE (.Net Exe)
Extracted files:
10
AV detection:
25 of 28 (89.29%)
Threat level:
  2/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=duq75e7xzrujrusvcczqv2jbufyepaefr6dbbf2kggxnpxsfpvya._file
Verdict:
unknown
Similar samples:
139226ca48cb1aaf2b44ab1816354569548cdad054aeeffb27f038f9401cc5d4
AgentTesla
203f21b604ed394af864797afe9c7da94a1396cacb6edac252243b76de0ab029
AgentTesla
232da40c6835fdd4da0ca25b383098ff2ec0251b7fefe04c09ac82943dc8b197
AgentTesla
500ae25cf76e0cc069f42128aeb1a96072b6d0281a6ed2ff6d0b0a26b4e9556a
AgentTesla
5105c1a352e0f0e2a54b08132d9d1e383f6505a7aa42b8aea411c85551c37175
AgentTesla
649be52b6b0d362efcfc6f1dd79a6b8fbcf85eb2b68f0138f87b6e1cc7e5a418
AgentTesla
8b5b38085f12d51393ed5a481a554074d3c482d53ecd917f2f5dffdf3d2ee138
AgentTesla
a411430730f1de14d1fb6cb2d9eb371c4c921b34d0eee217cc47645aedb5ae74
AgentTesla
a4d56971577536b2742d89e0ead542a8cd8818a798371d1cd04ec22b3931ec56
AgentTesla
ec9d801b120855fe926902234e77c60d5a0c8a115a977fe49e6b6b1539e0db51
AgentTesla
+ 34 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201124-1stwnfcpwx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
1d21fe93f7cc6898d25510b30ae921a1704780858f8610974a31aed7de457d70
MD5 hash:
8ed67b15c0b6ac9a28e8912c92128fe1
SHA1 hash:
84e2f866912360a2adbcdd1ffb89edc4b61e63bb
Link:
https://www.unpac.me/results/aadf79d7-ef56-423b-9b5c-8d9010bc9bdf/
SH256 hash:
25525edfe17116a8775cc313479a14b697e271a5b08b3c7a3fc3dee47ad1b07a
MD5 hash:
1caef6fbdeddcafc035e2975615e2a61
SHA1 hash:
756cf790fa83d75b1d7530745e382df43b638574
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/aadf79d7-ef56-423b-9b5c-8d9010bc9bdf/
SH256 hash:
2dfd6cf5ebe6ad9a2cc11f78315940fb973037371be881682012ca8c8f3a82c6
MD5 hash:
6f2495ead543677da8cf1b5fe2baf642
SHA1 hash:
98080915acd6eefd9ee9c976e7a657be75332fa6
Link:
https://www.unpac.me/results/aadf79d7-ef56-423b-9b5c-8d9010bc9bdf/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Eldorado
Score:
0.90
Link:
https://yomi.yoroi.company/submissions/1d21fe93f7cc6898d25510b30ae921a1704780858f8610974a31aed7de457d70

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 1b2cf23895a8b87faa2a0cff4bdc448572357aeadf114353517cdb9055a38d23

AgentTesla

Executable exe 1d21fe93f7cc6898d25510b30ae921a1704780858f8610974a31aed7de457d70

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 1b2cf23895a8b87faa2a0cff4bdc448572357aeadf114353517cdb9055a38d23
  
Dropped by
SHA256 a97cd1d62e2080be383ed0b6526e4741feb2df0b0815b035b45a5f532dceca52
  
Dropped by
SHA256 2cf90b12f321a421499450d54025b0c746f3f040e1fb971f7047ac32ab9fe67e

Comments