MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 268f89bd4548d21dd1f6133a394327691e479443003cb92cdf9c0568a6b3ec41. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 4 File information Comments

SHA256 hash:	268f89bd4548d21dd1f6133a394327691e479443003cb92cdf9c0568a6b3ec41
SHA3-384 hash:	c373a90f6a2fb0176bc57f521e0931c1e3c448f1e6ee7a8af682f69164c24d9bb6cdcff580d7d59886d247209f4c970a
SHA1 hash:	c4ca425c8a53aafe9a55a03cb8e63c3d683bdd63
MD5 hash:	16dae075b86dbf61569805914792ad99
humanhash:	hotel-edward-coffee-music
File name:	abbc25e9ea83a21efc5187d0188e8d92
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	351'744 bytes
First seen:	2020-11-17 15:19:14 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	0a131a315228230104c175573ec8ff41 (4 x Pony, 2 x Formbook, 2 x AgentTesla)
ssdeep	6144:JIZiPnrD5lhtnbQ8aLJyZwscVeYG3dwEEbuYItb/2jfNKW6hZq437LHsP6EVTZ:CYHhxOMZOc93KEguY6D2DsZhDrLMi0d
Threatray	2'631 similar samples on MalwareBazaar
TLSH	2B74233A76A4A952D3403A3DF38F2CBD44127D51085D5D597CA6FF2EEB787E48E20A02
Reporter	seifreed
Tags:	AgentTesla

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

PUA.Win.Packer.Upx-49

PUA.Win.Packer.UpxProtector-1

PUA.Win.Packer.Upolyx-12

PUA.Win.Packer.Upx-4

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/268f89bd4548d21dd1f6133a394327691e479443003cb92cdf9c0568a6b3ec41/

Threat name:

Win32.Trojan.LokiBot

Status:

Malicious

First seen:

2020-11-17 15:24:44 UTC

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=e2hytpkfjdjb3upwcm5dsqzhnepepfcdaa6lslg7tqcwrjvt5raq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

38cf806ecaf30b5209ebce1a41e7ac877d3201cec05f4a665fe85797a7069bbc

AgentTesla

428b4819734a979d5685b235d190ab9e07bfd6e5098e22ee9195cd386dc701d0

AgentTesla

8cb25252905f6fab8abc9f48771ae415291f4b1bee655f57fcc7114c38568be8

AgentTesla

ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501

AgentTesla

bf310f0ae72ab1080c4967aca8ecebcf6e2c56cc7a3672c3b3e602c03870aad9

AgentTesla

c5c5950509109e01461d9a3779f6ff994b755f4f995c241c1d0e9f775df867c6

AgentTesla

cf0bad09c814bb64da93ebdb2ef5830c3b83e5106ae967e2155ebae2f2c63cc3

AgentTesla

d786c5ecc0fd677c853ccc3bcff9136d7b15b1342ffd929188826e1a38d75e04

AgentTesla

e5c32739c115f51b0d7bf70fe1c50ca8253ee7ce97ef53d97582417e4bc093cb

AgentTesla

+ 2'621 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan upx

Link:

https://tria.ge/reports/201117-95xs3wdlda/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Unpacked files

SH256 hash:

268f89bd4548d21dd1f6133a394327691e479443003cb92cdf9c0568a6b3ec41

MD5 hash:

16dae075b86dbf61569805914792ad99

SHA1 hash:

c4ca425c8a53aafe9a55a03cb8e63c3d683bdd63

Link:

https://www.unpac.me/results/cf182a80-eeb9-42cf-b237-3e4509a18cdf/

SH256 hash:

73525c7e07b39f5a361c4030d63631cdc4b2691ad02540c7113b34886640fc4b

MD5 hash:

fcb241c8c7cbee4f742a42821d5bbf9c

SHA1 hash:

66787e61b0512ba0c1f5b79e3628ad41de37626c

Link:

https://www.unpac.me/results/cf182a80-eeb9-42cf-b237-3e4509a18cdf/

SH256 hash:

d50827fbc8a4c18259c308ceee616d9bfabe9e54a55e38eb167bc025320ed1a1

MD5 hash:

d6f6b4d55fb94616a0e267e160a85f53

SHA1 hash:

010c519e57c6ae6f21e219e1fe03ae596ccdc817

Link:

https://www.unpac.me/results/cf182a80-eeb9-42cf-b237-3e4509a18cdf/

SH256 hash:

1ba6b46a99a1d5687c82e62b30801e4c5f531c75ceb65a095bc1a1183a7786c6

MD5 hash:

cdd5a40cdc84b8efb885baf1e8fdfc41

SHA1 hash:

1feaf811f46ef6f7b4e8f9c991efbf6b49017a51

Link:

https://www.unpac.me/results/cf182a80-eeb9-42cf-b237-3e4509a18cdf/

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekshen
Description:	AgentTeslaV3 infostealer payload

Rule name:	suspicious_packer_section Create hunting rule
Author:	@j0sm1
Description:	The packer/protector section names/keywords
Reference:	http://www.hexacorn.com/blog/2012/10/14/random-stats-from-1-2m-samples-pe-section-names/

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample