MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24d8632d58bfa7019f691346f9715cef64dc11887fc5140054ecf5b422f1f68d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24d8632d58bfa7019f691346f9715cef64dc11887fc5140054ecf5b422f1f68d
SHA3-384 hash: 208c307d0d1a039e7ce47d2da0ff18c5559179c69f0db0e58860de936a2299830d131b69c15251c95c334ae5d0623508
SHA1 hash: 14738e7b2c7cc9a6a2ec3c7a850807623225df32
MD5 hash: ef6b7128c7786f40111e700d38f10b8f
humanhash: whiskey-neptune-mobile-fruit
File name:PAYMENT.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:694'784 bytes
First seen:2020-09-16 12:16:28 UTC
Last seen:2020-09-16 15:43:38 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 63d5d5e1ba3d09d269bbbd87e853a0d7 (7 x MassLogger, 5 x AgentTesla, 1 x NetWire)
ssdeep 12288:S9+UFSbzwd6xyFjH8H1NDNCqovrO4OsOjk8pXcivm:k+pbzwIxk4VdoqmOztG
Threatray 1'541 similar samples on MalwareBazaar
TLSH C5E49E26E1D09837F1275E39CC0B97B8A829BE90295B58463BE5ED4C8F3C791391E1D3
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
100
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/62028/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Reading critical registry keys
DNS request
Sending a custom TCP request
Sending a UDP request
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/467795
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24d8632d58bfa7019f691346f9715cef64dc11887fc5140054ecf5b422f1f68d/
Threat name:
Win32.Trojan.Masslogger
Create hunting rule
Status:
Malicious
First seen:
2020-09-16 10:26:42 UTC
File Type:
PE (Exe)
Extracted files:
53
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etmgglkyx6tqdh3jcndps4k455snyemip7criacu5t23iixr62gq._file
Verdict:
malicious
Label(s):
hawkeyekeylogger
Create hunting rule
Similar samples:
07733638a39beadad8c496d03fbdd66b49d82e22fcaf7ee9dbadaa8fde982aee
AgentTesla
64bf9e6d16667c6967da60414f0e3146ea6da3d8df4432a1c9289a11e3411bc2
AgentTesla
8d9935cd8f8d2e5f305b229f6992fbee9e4b5c4e6063568c5e150f51fa0f91b1
AgentTesla
a8a6c630b10f07fff8350fa8590b67ee21f67051e2bc7f8586e5316b1675691d
AgentTesla
a921089f3327d511043c7feffed9985bfb3a7ca5ee43e0724c344ad8cb63fbf5
AgentTesla
b60334d1ae623de52b95660c1869e65a7c1b075ca58f2ad48711beb931190c5e
AgentTesla
b62e2d5028a28c3a636d1ab777d9a0ecaca17c55fdc7cda34671adae93f76625
AgentTesla
cc5b616ee151f836fb52d686f978123c5427d27f738baaea8583e791f9742686
AgentTesla
d0ced70a4b700dc5e0905bf3743a224ac4722139d7507e367c32880c72ecd048
AgentTesla
f97b051a72d6243fdc053b92d0bdcb3f27a3acd5be0a4a83df07a3d17a2ffdf9
AgentTesla
+ 1'531 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200916-hbtvgn1p2x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/24d8632d58bfa7019f691346f9715cef64dc11887fc5140054ecf5b422f1f68d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 64ad15a6c3b32004f75bdeee57f3abe38471bde6f2dabf4993d097d842642057

AgentTesla

Executable exe 24d8632d58bfa7019f691346f9715cef64dc11887fc5140054ecf5b422f1f68d

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 64ad15a6c3b32004f75bdeee57f3abe38471bde6f2dabf4993d097d842642057
Cape
Cape
https://www.capesandbox.com/analysis/62028/

Comments