MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
SHA3-384 hash: 4676bb7e3a85b2e4cba320fe89da35e63315b4066b8d33f7ca61ea7764c408388d621aba061384e9fd7fb18460bff3db
SHA1 hash: 885119ba056748158b3135ec22e039b46725b962
MD5 hash: 16b5216afca6ede3df5ee77350e8275a
humanhash: failed-west-golf-michigan
File name:LC AGAINST.gz.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:719'360 bytes
First seen:2020-10-07 08:28:12 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:9JWH9BlxiOR1OW9fZVBi5fHgPzXE+OYV3yUMQzeaKcFB1x+Pi:9K9diUlFixHgPLE+OYVpje
Threatray 1'229 similar samples on MalwareBazaar
TLSH 8FE4F1343AD4FB8FC50A8F7A85160824EBF0947A8747F357ACD714EC950E6DE8A262D1
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68854/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/483888
Signature
Binary contains a suspicious time stamp
Contains functionality to register a low level keyboard hook
Disables Windows Defender (via service or powershell)
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 294388 Sample: LC AGAINST.gz.exe Startdate: 07/10/2020 Architecture: WINDOWS Score: 100 40 Multi AV Scanner detection for dropped file 2->40 42 Sigma detected: Scheduled temp file as task from temp location 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 12 other signatures 2->46 7 LC AGAINST.gz.exe 1 7 2->7         started        process3 file4 32 C:\Users\user\AppData\...\YxbtIIJmgqW.exe, PE32 7->32 dropped 34 C:\Users\...\YxbtIIJmgqW.exe:Zone.Identifier, ASCII 7->34 dropped 36 C:\Users\user\AppData\Local\...\tmpED85.tmp, XML 7->36 dropped 38 C:\Users\user\...\LC AGAINST.gz.exe.log, ASCII 7->38 dropped 48 Disables Windows Defender (via service or powershell) 7->48 11 LC AGAINST.gz.exe 7->11         started        14 powershell.exe 22 7->14         started        16 powershell.exe 25 7->16         started        18 13 other processes 7->18 signatures5 process6 signatures7 50 Installs a global keyboard hook 11->50 20 conhost.exe 14->20         started        22 conhost.exe 16->22         started        24 conhost.exe 18->24         started        26 conhost.exe 18->26         started        28 conhost.exe 18->28         started        30 10 other processes 18->30 process8
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-07 07:48:48 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=f7s4ugc4my7f2bwqvxq2jyhv3hajsqrzcavfufzfvj7cl3n36x7a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c2bb30542c1eccedf03c4d33aeed1351ef6415397d90f63a42f3b78a0371516
AgentTesla
3fbf2e87f150e0aee720dc30b69cb5f7811fb855192c74c6be180fa23a06d5ed
AgentTesla
40536a648af9c2b557ed6686cf932119d001d1ae3baf9df4da8bbc3ea457f8a4
AgentTesla
4a4f7d774032e80c392ff7fe598a05736cf4f71dc0dcf5616ce980f9cbb598ae
AgentTesla
4e0d9011480354268839674ee979b89b902a9672dc5b728c3428bd613ba65154
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
780a88c79396f2df8841cf5f66f6807402e45b1db65e20f10d6814e6300cf8f5
AgentTesla
96bb500afd48645a966af87ba319dc72388964f84726552f72f31c936c7628b2
AgentTesla
cc87cc3cff16721cb3f7e6be1e5be62bcdacafd1fa70ec879c6a9c12a9b438bb
AgentTesla
d2e12e778519b6ea35daaef5eadae95b9f9e7f60676c8ddae1b321e384984c63
AgentTesla
+ 1'219 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  1/10
Tags:
n/a
Link:
https://tria.ge/reports/201007-3tbxe6q5be/
Unpacked files
SH256 hash:
2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe
MD5 hash:
16b5216afca6ede3df5ee77350e8275a
SHA1 hash:
885119ba056748158b3135ec22e039b46725b962
Link:
https://www.unpac.me/results/0ab4d6c1-38e2-4eed-be0d-6cef013f7b6f/
SH256 hash:
97f7572b0708cc123079156af9c42d63aceb5263553016269cd7a22c7d9fb871
MD5 hash:
99d5890065854e95ccd9b450ae85d435
SHA1 hash:
1a94d584877efcb62d6ccb4c29360def1a6f7c7b
Link:
https://www.unpac.me/results/0ab4d6c1-38e2-4eed-be0d-6cef013f7b6f/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/0ab4d6c1-38e2-4eed-be0d-6cef013f7b6f/
SH256 hash:
4c5c57e34f7f0a0abb5f0b9328881b03c1b50644953594ac256be96950a28780
MD5 hash:
2c24e8de263f72b39f1ee932fa467af8
SHA1 hash:
3d07b6f064927fa00400121f7ec79b75ad4e652f
Link:
https://www.unpac.me/results/0ab4d6c1-38e2-4eed-be0d-6cef013f7b6f/
SH256 hash:
d32e31599396db195e52faee97321b533a63b469da3fef981bd0d621313c4bab
MD5 hash:
e560bfb02d453452d0b6700d69d0b4a3
SHA1 hash:
64f4beca7646dbae5875b953a814f32571c7fb9e
Link:
https://www.unpac.me/results/0ab4d6c1-38e2-4eed-be0d-6cef013f7b6f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

gz 0805d50d4c3d3bcbb81035416d74f7ff3e7facc02790297b70d0e82b4d9110b3

AgentTesla

Executable exe 2fe5ca185c663e5d06d0ade1a4e0f5d9c0994239102a5a1725aa7e25edbbf5fe

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0805d50d4c3d3bcbb81035416d74f7ff3e7facc02790297b70d0e82b4d9110b3
Cape
Cape
https://www.capesandbox.com/analysis/68854/

Comments