MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 24e90aeb3226d26eb0e7f687d4b201888ced0a54948212aa4f9add68d897f44c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 24e90aeb3226d26eb0e7f687d4b201888ced0a54948212aa4f9add68d897f44c
SHA3-384 hash: edba8520575ccad108a196f8e32bee8d89500c22d735c3ee0a8f8dfdd5c3906152a03b2444b3da936317910b4a5aa54c
SHA1 hash: 6891dba4b4f9b1bee88d1dc73fb296e21ee8f505
MD5 hash: c942b80b0f318876735dbe5b5c9ba4d4
humanhash: mars-sixteen-monkey-nebraska
File name:CV.EXE
Download: download sample
Signature AgentTesla
Create hunting rule
File size:42'912 bytes
First seen:2020-11-05 14:44:06 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'752 x AgentTesla, 19'658 x Formbook, 12'248 x SnakeKeylogger)
ssdeep 768:rQzlYZ700metUbkNw2Apnmh/zZ/zez0NiC+tUf2h3:r2lYl0bQUbkNfHh/zZ/zez0NiC+tUfw
Threatray 972 similar samples on MalwareBazaar
TLSH 5A134205A040F227CB9A16341C83D8663AE2D67345E191C9A4BC5E8FDF43FA6BF5D4CA
Reporter cocaman
Tags:AgentTesla exe

Code Signing Certificate

Organisation:Microsoft Windows
Issuer:Microsoft Windows
Algorithm:sha256WithRSAEncryption
Valid from:Nov 5 14:09:05 2020 GMT
Valid to:Nov 5 14:09:05 2021 GMT
Serial number: 5C23E386838D22025E7E330143EBAAA7
Thumbprint Algorithm:SHA256
Thumbprint: 552F3B43D53EE994092CCBD22F87D45F50E87114C6DB08638E5B437CC82A9C28
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
1
# of downloads :
65
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/83274/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a process with a hidden window
DNS request
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/521571
Signature
Connects to a pastebin service (likely for C&C)
Contains functionality to hide a thread from the debugger
Found malware configuration
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 309885 Sample: CV.EXE Startdate: 05/11/2020 Architecture: WINDOWS Score: 100 31 Found malware configuration 2->31 33 Yara detected AgentTesla 2->33 35 Machine Learning detection for sample 2->35 37 Connects to a pastebin service (likely for C&C) 2->37 7 CV.EXE 15 2 2->7         started        11 WerFault.exe 2->11         started        process3 dnsIp4 23 hastebin.com 104.24.127.89, 443, 49726 CLOUDFLARENETUS United States 7->23 25 192.168.2.1 unknown unknown 7->25 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Hides threads from debuggers 7->43 47 2 other signatures 7->47 13 CV.EXE 2 7->13         started        17 timeout.exe 1 7->17         started        45 Writes to foreign memory regions 11->45 19 CV.EXE 11->19 injected signatures5 process6 dnsIp7 27 smtp.yandex.ru 77.88.21.158, 49743, 587 YANDEXRU Russian Federation 13->27 29 smtp.yandex.com 13->29 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->49 51 Tries to steal Mail credentials (via file access) 13->51 53 Tries to harvest and steal ftp login credentials 13->53 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 21 conhost.exe 17->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/24e90aeb3226d26eb0e7f687d4b201888ced0a54948212aa4f9add68d897f44c/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Suspicious
First seen:
2020-11-05 14:46:04 UTC
File Type:
PE (.Net Exe)
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=etuqv2zse3jg5mhh62d5jmqbrcgo2csussbbfksptlowrwex6rga._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0233c43ce1cf759e1d8c8d343b03bfbad84652b12fe32b0e54b7fc7c08bdcc88
AgentTesla
2da02cb0f56579332322d544b18a172c8a3ea6f9506bc9e4a014943ebf174c56
AgentTesla
3a5b1c9c7e10e40551f26dafe302f056f86ce6c6c138a96b0b79389a095b7fca
AgentTesla
3b730885744ae75260212b43010cbd9578df34c88450745169a56a99d2476ffa
AgentTesla
3ce4695af91401e898d1819f320779c68bf2bb8da493f222590ab537aa272c18
AgentTesla
6014abff3f883feb405938f546265bc9d6fd5a0397778d10fbbcf7e7a04370af
AgentTesla
80c4f287136c2fef0b36fdc744f31bc4e6e1b2ad7185e5074ea655f00e1e170d
AgentTesla
aa5d58519adc258a32494cee3551c16684a3d247c03ca114338756172fda96cb
AgentTesla
c2f1ec82febf0068c88740b94b858d400c40bc8bf1b368bc7c8920c138947b7b
AgentTesla
c64b982e4d39e00892526dfe075b7a35448b5d07e7dae1ec2df65dbce854773c
AgentTesla
+ 962 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201105-n5rt4p7tes/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
24e90aeb3226d26eb0e7f687d4b201888ced0a54948212aa4f9add68d897f44c
MD5 hash:
c942b80b0f318876735dbe5b5c9ba4d4
SHA1 hash:
6891dba4b4f9b1bee88d1dc73fb296e21ee8f505
Link:
https://www.unpac.me/results/40ba3419-0551-4c68-87fd-7d77cc182314/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img f0362a8942e76c46a786599598eb09cc06bc0f33283bad903007716a270f722f

AgentTesla

Executable exe 24e90aeb3226d26eb0e7f687d4b201888ced0a54948212aa4f9add68d897f44c

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 f0362a8942e76c46a786599598eb09cc06bc0f33283bad903007716a270f722f
Cape
Cape
https://www.capesandbox.com/analysis/83274/

Comments