MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2d65f98577cae0d1e463145ab9394a5cc02605d9b6e46e4f98bcaa340d38a3f5. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2d65f98577cae0d1e463145ab9394a5cc02605d9b6e46e4f98bcaa340d38a3f5
SHA3-384 hash: 89f9f06a066e1be6f08248a2364b9c66da44eb3bff6f8e87bb1eb9bc58107e24841d1f323a49faa607cae6b24ba7494b
SHA1 hash: 72913b683a9fd20d47dd84e27f2f7110f7c1d2c8
MD5 hash: 2129d75d6bf0a79290937be1854bebde
humanhash: red-hotel-floor-tango
File name:ADDR0067-P001A.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:267'776 bytes
First seen:2020-10-23 08:54:16 UTC
Last seen:2020-10-23 10:09:59 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 6144:aeLmR27vD7itwuLr95+lWSyoEMQRzSeq+RO/kFEPH:a2Xw/qmoEMQ5Seq+RO/kFEP
Threatray 471 similar samples on MalwareBazaar
TLSH 0F446C5A3784318FCAA3E471C5542E6CF731E226630BD257D113A2E8ADCD7AEDE011B6
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: nginxproxy.fleming.events
Sending IP: 195.168.10.2
From: Ertina Chan <saleseurope@dynamic-test.com>
Reply-To: Ertina Chan <scotmcnamam@gmail.com>
Subject: RFQ for ATTACHED P/N# ADDR0067-P001A
Attachment: ADDR0067-P001A.IMG.iso (contains "ADDR0067-P001A.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74985/
Detection(s):
SecuriteInfo.com.Variant.Razy.418805.2385.23370.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/507927
Signature
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2d65f98577cae0d1e463145ab9394a5cc02605d9b6e46e4f98bcaa340d38a3f5/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 07:37:15 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=fvs7tblxzlqndzddcrnlsokkltacmbozw3sg4t4yxsvdidjyup2q._file
Verdict:
suspicious
Similar samples:
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
AgentTesla
0edc20539956868004d0f58330a505e0ceb2584e54720b18fb48cb69c43d2378
AgentTesla
303dec4a84eea1ada9965b8fac568aa883fccd240dd0959ca8c575f3079a7ccf
AgentTesla
344e623ca2c22240a52b952e83939f053675259b17f207cdd71453acab5d0060
AgentTesla
489c720a675705998bd132682acecdbdae7abfdbe7bff6386e38fb19ae87199a
AgentTesla
55ee4e94de776d7e7748e9a321055cc59d0f0274b2b81bfae0f1f020a65ab33f
AgentTesla
61a57f66dd47818dbde83c6b2eae0bfe5ecac215605e3fac4c4a2a30c270cc04
AgentTesla
c74fbf07caa2e454d520cd64c36928a24082ded47a6ded2a58e3287b3d9ddb82
AgentTesla
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
AgentTesla
ea4d8d060bcd85bdb08cc7bd4f510a8539e84119011abb56e9e0158432e4de54
AgentTesla
+ 461 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201023-68hjec1rxx/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
2d65f98577cae0d1e463145ab9394a5cc02605d9b6e46e4f98bcaa340d38a3f5
MD5 hash:
2129d75d6bf0a79290937be1854bebde
SHA1 hash:
72913b683a9fd20d47dd84e27f2f7110f7c1d2c8
Link:
https://www.unpac.me/results/9f308583-3148-4439-818b-28241db0d9f8/
SH256 hash:
08c1171d88801084f6d1701185c14f1b2fc8e332b7585457a6175c3f149708bb
MD5 hash:
8864db60336e0aaf7831ff63e122dd45
SHA1 hash:
1c1f7154c5ce6a6b6c80a4c8588e7720ddcacded
Link:
https://www.unpac.me/results/9f308583-3148-4439-818b-28241db0d9f8/
SH256 hash:
376e1bf36993d5355138f2669b17b11a606d901284cb8242deeb0dab1e159023
MD5 hash:
e2f9f406c2408eeb2cc75ede33a4c328
SHA1 hash:
473484515deaba17f4051adb5e782a31b94d23a4
Link:
https://www.unpac.me/results/9f308583-3148-4439-818b-28241db0d9f8/
SH256 hash:
b37d1904be03d289a7f3922bb2f0dfac4bd3da58cb9030f1e4c0f30855843ac5
MD5 hash:
f937862ecd1af74b2c285105488e66dc
SHA1 hash:
d5e209b6e7dc7c4c98956e3887ac569ba258bf41
Link:
https://www.unpac.me/results/9f308583-3148-4439-818b-28241db0d9f8/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 432e5d397a02a6f2cd3767aeade4baa595a27a8dabec5d8b8acc8bb9439549af

AgentTesla

Executable exe 2d65f98577cae0d1e463145ab9394a5cc02605d9b6e46e4f98bcaa340d38a3f5

(this sample)

  
Dropped by
MD5 e055913125eb97a6cdecb5f3e97491d4
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74985/
  
Dropped by
SHA256 432e5d397a02a6f2cd3767aeade4baa595a27a8dabec5d8b8acc8bb9439549af

Comments