MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA 2 File information Comments

SHA256 hash:	2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51
SHA3-384 hash:	b4a8bc10c3c027dee25d1d9fd14f61a04b3a169ebf3abe8fa168f5f9786644fd17b34022e140fd8bf3c09a31ec8eece3
SHA1 hash:	6cb47399b122cfe30964202df21af04e50b04fa4
MD5 hash:	da277c89c43fe94afcca351307abe2da
humanhash:	fruit-butter-twenty-north
File name:	INVOICE.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	765'440 bytes
First seen:	2020-12-01 06:22:16 UTC
Last seen:	2020-12-01 08:08:42 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:CW2qPVGNbTuMuKBD7hpvAcVU/Wcv0SAq4UA1J96/jrCvY6lWa9Zo2613Uwj3DNHf:tST0sDdvurAqzA1Jc/jr8t9P61vHVD5h
Threatray	1'610 similar samples on MalwareBazaar
TLSH	15F49E399E59653AF5766B3CC1A02195AAAE77D3B307CCAC28F601CD0B27E4399C143D
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

150

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/106157/

Detection(s):

SecuriteInfo.com.Trojan-PSW.MSIL.Agensla.gen.8718.UNOFFICIAL

Result

Verdict:

Clean

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/551792

Signature

.NET source code contains very large strings

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-12-01 06:23:10 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

18 of 29 (62.07%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=fmegmdafhbixjaubrht5iodk63uc3llddpztuowgw5nr5yusrniq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

18d3a183977a47e81f60e8ec7dfe404116b0f0f9a515696752710d6f5c005866

AgentTesla

19006e1934a36332207bb746cdfad53e5264682ed947d4f6c99debecefe12f99

AgentTesla

25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f

AgentTesla

342af886075cca7fdeb8b212c3cfa6721adb1282dd670f0221a7f08cf1946dda

AgentTesla

9b21a961dea4dd3f79e08cfc5bd13aca22c3ebfefc9d5c347713b4c492d66c1f

AgentTesla

a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0

AgentTesla

c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec

AgentTesla

ccf7cbe501b4e91d8f020fb061bbb24167316704bb9566aed6a6a5bc36df3d73

AgentTesla

f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61

AgentTesla

+ 1'600 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion spyware

Link:

https://tria.ge/reports/201201-sq59gg2k62/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Unpacked files

SH256 hash:

2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51

MD5 hash:

da277c89c43fe94afcca351307abe2da

SHA1 hash:

6cb47399b122cfe30964202df21af04e50b04fa4

Link:

https://www.unpac.me/results/ba8e834b-4e20-4c85-9fee-1a669975ac67/

SH256 hash:

9584f6d01e6452371cc9b4828030a13045d99c243c497b63628828e66aabe26f

MD5 hash:

7476e403eef14ac403c63c7279831780

SHA1 hash:

8387f558e30dc115987ac2b5c174a41302471abf

Link:

https://www.unpac.me/results/ba8e834b-4e20-4c85-9fee-1a669975ac67/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.