MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA 3 File information Comments

SHA256 hash:	20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500
SHA3-384 hash:	436d6cf8b752d5811762de2e3391f8b80c12a8a303d77b052d42f9d4bacbf3b3fd02a64a8a46e8efc25c5e4af91c0485
SHA1 hash:	405493faf2309bcdff988e9dc84847df2265d180
MD5 hash:	4d0a8fd72171337ecd2b773b7455ea96
humanhash:	oranges-purple-december-zebra
File name:	Recebimento pago OC456337.JPG.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	575'488 bytes
First seen:	2023-04-12 05:26:55 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep	12288:4IpJ9FKxLqK9eAt1YLJbcLCmkg3cLRhZyyAIcQhWd+c6A:/9FKAKpb2m5sPMyAHdd+c
Threatray	1'959 similar samples on MalwareBazaar
TLSH	T19CC4F19E66B5EFA5F44D0FB55440148213B8E299F4A8DD9C9CD323E347B2FA241087EB
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

AgentTesla SMTP exfil server:
mail.corpsa.net:587

Intelligence

File Origin

# of uploads :

# of downloads :

271

Origin country :

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

ForwardedMessage.eml

Verdict:

Malicious activity

Analysis date:

2023-04-11 19:03:48 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/b2322850-ff83-4d64-8a37-32ce4cf28496

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/381643/

Detection(s):

Sanesecurity.Malware.28872.BadIN4.UNOFFICIAL

SecuriteInfo.com.Trojan.Siggen20.33757.31197.5243.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

barys comodo lokibot packed

Link:

https://www.filescan.io/uploads/643641270dbc8763b8a11d1b/reports/a251194d-b3aa-4b1d-b889-0b318d4d6c30/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_100%

Link:

https://www.hybrid-analysis.com/sample/20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Suspicious

Link:

https://analyze.intezer.com/analyses/221aac61-4def-4aaa-9f8e-0dd7cc6b04c9

Result

Threat name:

AgentTesla, zgRAT

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1212252

Signature

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected zgRAT

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500/

Threat name:

Win32.Trojan.Leonem

Status:

Malicious

First seen:

2023-04-11 14:57:29 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 24 (87.50%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ed4di3rnefyfqmprdx4vpkyfngewhhcqasv465v6rbtsdozacuaa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

04aa55e1600b801ddda368268eaf6f2ab9858f402b526468d727a943eadfb122

AgentTesla

0ba799607c3249b17cb474a73a255b0f38dc09e05526258c9144e23209b1a01a

AgentTesla

1d33467dba0945d2a0dab179b6d5a38c9e936f3c51a12dbefdaf361df2a62562

AgentTesla

3767034cddc1a47d2ca81f77f185af6a8228d6864c822f2e1e46672260ecbef2

AgentTesla

44287432a3d063068dd3119d3a89398a44c14ec36411636595d5b1e01dd7d1cc

AgentTesla

69fa15d77275d1d0383f6a1ec7137989a392fe17050cb90f3670e8e834f931be

AgentTesla

7e8283583026a288a16c98682ce3cf18308f78cb08cebf3dd6b3376aa7089733

AgentTesla

d516e4901dd234c9dadef6a593e04c85c00e83d092490d7a7398339d79c4b727

AgentTesla

e2c40dfbb54a5fe183a97cb7be58ee20969e9f0f7744df829f2b02619fc529e2

AgentTesla

+ 1'949 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/230412-f5eq5sbg4w/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

1947149b795c1a2685bfec0def803bdd403070dd1d2a7ee6d4ae58b6e4d845ca

MD5 hash:

8fc0ba27e4b839bdeadc5f5d1f720aad

SHA1 hash:

b4d6c1bdaf99311d778454325d42346d31855fff

Link:

https://www.unpac.me/results/ae98d700-69f0-47bf-bf9d-516c3076cf38/

Parent samples :

d850ceb318e1d078e00f9f59ff80f6775b8f19bfa26f5f0750582a73e51e4fcf
3a33384b0027c321a9643ba9428d7227aa6b4401e3882f91cc93539590500411

SH256 hash:

7fc0ee7cf6d7246651b89f163b0dc12fcc47a69d835f720e5f31216be7e86414

MD5 hash:

74cd110d19042e93a9e27b0cea5cce6b

SHA1 hash:

9e633b69892239b617c76e6adab845fb84078ac0

Link:

https://www.unpac.me/results/ae98d700-69f0-47bf-bf9d-516c3076cf38/

SH256 hash:

40c050c20d957d26b932faf690f9c2933a194aa6607220103ec798f46ac03403

MD5 hash:

c768bac25fc6f0551a11310e7caba8d5

SHA1 hash:

95f9195e959fb48277c95d1dd1c97a4edff7cb3a

Link:

https://www.unpac.me/results/ae98d700-69f0-47bf-bf9d-516c3076cf38/

SH256 hash:

b9a9efdb425608d59f66fca74b4f319111e1983d0f24db947cf0b959122e67c7

MD5 hash:

5c413dbcdbd675206a10c296948282f9

SHA1 hash:

320da8dd5dbd9289b744ea65e4964f9c298f210c

Link:

https://www.unpac.me/results/ae98d700-69f0-47bf-bf9d-516c3076cf38/

SH256 hash:

6413c60502ba771163bb96527a5b8fdf5d765cd19f89bca13c6442bbd8bdb4bd

MD5 hash:

d52609f7faa0c91840a49a848a476000

SHA1 hash:

268d289f07cd7f58d0c4db7d785fa350a3ed431a

Link:

https://www.unpac.me/results/ae98d700-69f0-47bf-bf9d-516c3076cf38/

SH256 hash:

20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500

MD5 hash:

4d0a8fd72171337ecd2b773b7455ea96

SHA1 hash:

405493faf2309bcdff988e9dc84847df2265d180

Link:

https://www.unpac.me/results/ae98d700-69f0-47bf-bf9d-516c3076cf38/

Malware family:

AgentTesla

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/20f8346e2d21/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	BitcoinAddress Create hunting rule
Author:	Didier Stevens (@DidierStevens)
Description:	Contains a valid Bitcoin address

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 20f8346e2d21705831f11df957ab056989639c5004abcf76be886721bb201500

(this sample)

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/381643/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample