MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2cec9b854e5111f7b5933c823251a1a44c3335d9a91c0ba7ca49a76eceac50d0. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	2cec9b854e5111f7b5933c823251a1a44c3335d9a91c0ba7ca49a76eceac50d0
SHA3-384 hash:	591e961572158ead664fac09a14c905da0bbafdd2972b0745073cf8b2e6863580d4d666419cbdf00cc9f3ee715c95773
SHA1 hash:	61db1112195abf77ec940f7cd937b6f559ffe29e
MD5 hash:	09d0daa960a40f1d79f5a726a09ba1d0
humanhash:	coffee-zebra-mike-oscar
File name:	Uni-Pharma-0116PDF.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'149'440 bytes
First seen:	2021-05-24 16:05:31 UTC
Last seen:	2021-05-24 17:06:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	24576:UgWoHUhTnky0cpvYsnO8txnButri8+sY:UpcITjzpwsnZV6F+
Threatray	5'235 similar samples on MalwareBazaar
TLSH	0435595BF388BEA5C16D4E3880571E5D83DEE4533372F76F8294A4D27D01B8A4A0E267
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

114

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Uni-Pharma-0116PDF.exe

Verdict:

Suspicious activity

Analysis date:

2021-05-24 23:44:50 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/981dccf1-3181-4955-8d22-1fbf38c9b0a0

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

DNS request

Sending a custom TCP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Using the Windows Management Instrumentation requests

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/790850

Signature

.NET source code contains very large array initializations

Found malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/2cec9b854e5111f7b5933c823251a1a44c3335d9a91c0ba7ca49a76eceac50d0/

Threat name:

Win32.Trojan.Woreflint

Status:

Malicious

First seen:

2021-05-24 08:36:49 UTC

AV detection:

15 of 28 (53.57%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ftwjxbkokei7pnmthsbdeunburgdgnozveoaxj6kjgtw5tvmkdia._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

0f8ce6f5eb21291a23305d675444658dbe619d7a9131c4bda4b49d20d60afeec

AgentTesla

7a388ead62a8f818b36c9c9a1938c2172c4fa05edfc71307980131c53c69d054

AgentTesla

7ec0013035b5a6c21985a1094de2f2aace63b0b7a3cf2262798a1bffd19aae8a

AgentTesla

91dad32ea8f4e51f9b5b07f0e9f8ecdbe81c4db2a54a256686f523e42636a4ab

AgentTesla

be0dc158152fc2de2e3552779884f45e7ac9cb1a62456d23d0a6ee78e357c757

AgentTesla

ec694537528f39e61c4a295e99932641ac2660f8580911790926294c4a190afc

AgentTesla

f3955ec185341df0ba244092025e241a6410a45f1700f406e61397ff40f94192

AgentTesla

fbbed47e36ef8e3ca336e9e918d3dc558a8e6c3b0cf6c84ac4345cfb0308abc1

AgentTesla

fe0a5fde4fbbddd79d2938af2373c69a8219ea73831be712f1bca86150a30461

AgentTesla

+ 5'225 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla agilenet keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210524-mzy48q7hjs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Program crash

Suspicious use of SetThreadContext

Obfuscated with Agile.Net obfuscator

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.51

Link:

https://yomi.yoroi.company/submissions/2cec9b854e5111f7b5933c823251a1a44c3335d9a91c0ba7ca49a76eceac50d0

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

No further information available

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample