MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2a9005e0218ee1fa65d55949828ccdea090ef64747d7913b2e6b38dc0a4adfb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA File information Comments

SHA256 hash:	2a9005e0218ee1fa65d55949828ccdea090ef64747d7913b2e6b38dc0a4adfb9
SHA3-384 hash:	337eafcdbea705eecfe1e3b6cd99e60e47222898052102c2f3e65ca4e19e8aebfb097f5f9e2027387c09d841c8c270ea
SHA1 hash:	094b2fb8dbcc0d1dc78bee75d0b20826a9e6783f
MD5 hash:	18fafaf2b874221bf5ae77c432de1557
humanhash:	venus-michigan-mirror-may
File name:	transfer copy.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	392'192 bytes
First seen:	2020-12-22 12:50:16 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	db3ba5a38c467c1467d8cab70dfeeb13 (24 x SnakeKeylogger, 1 x BitRAT, 1 x AgentTesla)
ssdeep	6144:KLHiuJrMLXMhYQzzlMbVQZmVPofudE/1zL+ZXtcHhnoO/Reh:+JreMu/V4mNZM1zStcHhnpa
Threatray	1'966 similar samples on MalwareBazaar
TLSH	8E84E191B25EC5A9F42B19B36C9BC55062B1AD5FBB91028E719AB31909F331300BFD4F
Reporter	abuse_ch
Tags:	AgentTesla Endurance scr

abuse_ch

Malspam distributing unidentified malware:

HELO: 162-144-100-85.unifiedlayer.com
Sending IP: 162.144.38.36
From: PAY-U INT'L <sales9@oxy99.in>
Subject: INCORRECT BANK DETAILS FOR PAYMENT
Attachment: transfer copy.img (contains "transfer copy.scr")

Intelligence

File Origin

# of uploads :

# of downloads :

292

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

transfer copy.scr

Verdict:

Malicious activity

Analysis date:

2020-12-22 12:32:12 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/9df262c0-8016-417f-bff0-07dc0ee2be83

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/108887/

Detection(s):

SecuriteInfo.com.BScope.Trojan.Crypt.5016.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a file in the %temp% subdirectories

Creating a file

Running batch commands

Launching a process

Enabling autorun by creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/568255

Signature

.NET source code contains very large array initializations

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/2a9005e0218ee1fa65d55949828ccdea090ef64747d7913b2e6b38dc0a4adfb9/

Threat name:

Win32.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-22 12:51:09 UTC

AV detection:

17 of 29 (58.62%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fkialybbr3q7uzovlfeyfdgn5ieq55shi7lzcozonm4nycsk364q._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b95de55808c88599a46d6a21a0063a874a6e2ca7f0644989ce60eee025a6485

AgentTesla

3df7f5b80ddcfcddd7c2a5fc2e64ccfb8467b0892ab6c5315906ec5d03cb8a72

AgentTesla

4d302b4fd8564f5e3f9b505c0f342ec0e133fca6e5d0c6b3bd89746351561c5b

AgentTesla

5bdbe509086a48374c2eb7d22558abaad0d87f61962965ddfeb91bc0d1a1491d

AgentTesla

70528f1500aeffb424cc452a6afaa99ddf4b8deb61a6e41830270dfb1400589f

AgentTesla

81f08bb7f6faa0880efb94cc2fb91eec241e83b3d5b992c9564608bbe3c974e2

AgentTesla

848bb4e9ca2acb33c8a183eefb65637edd6c2d837a6d490d41509896a79f95d3

AgentTesla

d0a531def227f88eb7cf052fb7b94b33b7a1daca060bdb464e21739d606c99d4

AgentTesla

ee800c211606c5adfaf0f26d2505085d08b7097dad09ccff38134c6403d51598

AgentTesla

+ 1'956 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201222-994x5wmzdn/

Behaviour

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

2a9005e0218ee1fa65d55949828ccdea090ef64747d7913b2e6b38dc0a4adfb9

MD5 hash:

18fafaf2b874221bf5ae77c432de1557

SHA1 hash:

094b2fb8dbcc0d1dc78bee75d0b20826a9e6783f

Link:

https://www.unpac.me/results/10716368-286d-4823-b1f5-fbc65c62fef0/

SH256 hash:

818d922397d27eff551617522a18c4e48b6ac3ebf0dd847cd3ee74c2308096ad

MD5 hash:

03379a018ccbbc6f70ff98dea9e87c6c

SHA1 hash:

5eb0de914b34f6cbedccf2924330176b3592a39a

Link:

https://www.unpac.me/results/10716368-286d-4823-b1f5-fbc65c62fef0/

SH256 hash:

be64894e5f942156c48dfe4e28403ba86f190d78c117693b1c6487f463bce8bd

MD5 hash:

b0c851314d4ae405b4ef0f1abf827439

SHA1 hash:

c1fef279923dfa281500c050376aca22ec92e862

Link:

https://www.unpac.me/results/10716368-286d-4823-b1f5-fbc65c62fef0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Spyware

Score:

0.70

Link:

https://yomi.yoroi.company/submissions/2a9005e0218ee1fa65d55949828ccdea090ef64747d7913b2e6b38dc0a4adfb9

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 0636fb3768e587d8833bdfd88c2c45b3fe6319ddb3cd62ec6c1d49736715f9d3

AgentTesla

exe 2a9005e0218ee1fa65d55949828ccdea090ef64747d7913b2e6b38dc0a4adfb9

(this sample)

Dropped by

MD5 386616b9371effc155792a6b34637849

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 0636fb3768e587d8833bdfd88c2c45b3fe6319ddb3cd62ec6c1d49736715f9d3

Cape

https://www.capesandbox.com/analysis/108887/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample