MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d
SHA3-384 hash: 57755d5673dccd75b136baf8679b5c7d540f70c5afe8692d1eea6273fea843c9e3f5160796fce2a3381967757e93e8a6
SHA1 hash: cb0dfb30c5769cfe3a9b048948b9719b0e50c2fc
MD5 hash: 4efd01c55f26961a557d97829061d09d
humanhash: fanta-twenty-floor-yellow
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'154'368 bytes
First seen:2020-10-24 06:34:24 UTC
Last seen:2020-10-24 07:58:24 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 98304:RYGd9hEcJyveZtIZQio90f6tzRF5wiPEMnCI7UjPGGT+c1:RZhXQveCJoYwz6RMCYUjPj+
Threatray 15 similar samples on MalwareBazaar
TLSH DD163360BB50ABD1D46E4FBC083D930503B27C4A9A51DA4D1DD472FF68A2B849F4ABD3
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: stock.ovh
Sending IP: 51.178.87.221
From: qiuxu <x.qiu@rotodecor-china.cn>
Subject: RE: SOA JUN-OCT. 2020
Attachment: SOA.rar (contains "SOA.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/75178/
Detection(s):
SecuriteInfo.com.BackDoor.Bladabindi.13678.16032.9014.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Blocking the User Account Control
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/508566
Signature
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 18:40:10 UTC
AV detection:
22 of 28 (78.57%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=g2vf6mlmzppmt4eulqz4cqswhvf64fvtzky33dyxz2sngbmuz4gq._file
Verdict:
unknown
Similar samples:
0e7b2a38cabc39fe3fd5b546c03de814d8883434a01c921b2b4bbd1a9417564d
AgentTesla
371f46d6159d5fcba2d1531a470938fcd195840aeaf1147ec894407a7387431d
AgentTesla
4f3d500dc26e8a87fe7361064a50b7715731c378ec019e4643986f1e5c524cee
AgentTesla
73daa7c456a2dc8ebb8b372c752253c4d70ee390e35cc37b25f56571d31143ca
AgentTesla
932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a
AgentTesla
97f116dcd4a161a4265ccaf07dc12acec0e3e4a3af4216ba95f5f63c80a06fcd
AgentTesla
c62efee952c1bb4ff8e9fd28f3e477180010f8be162e6ddf8b8bfb42c78dfe2a
AgentTesla
d5313cb45c7eafd84a3d91d1b94d98693556f528bdad1e420433aed0b54fcae3
AgentTesla
d68a5a2bf92f0f08b8eb6f39351462f81d65d54085c1c7ae3aa81b2d3018434e
AgentTesla
d6b229f25b3f185395e58f98c048cad58d929c7a25e6b95319d27da5f5292588
AgentTesla
+ 5 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201024-ge7t1sbke2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
UAC bypass
Unpacked files
SH256 hash:
da658a345359d1170d65b593b2ed708900d4eecb73c33f926a405f274ab3e73d
MD5 hash:
47566096e2fd8b6f30b33ee6c8558a54
SHA1 hash:
7ebccce1cc9cb039af5b3a2df7dd18e054db3bd4
Link:
https://www.unpac.me/results/5c22757a-194e-4dd0-a1fa-496f1c076f40/
SH256 hash:
3664a284468c636ab86841ac7c7fe42a947b713740082480e56b40902fb6c25c
MD5 hash:
479ba08a8d69283ab257a2bbdee05867
SHA1 hash:
0e8e1eee71130764707bd67b6cfad0c2c68ec307
Link:
https://www.unpac.me/results/5c22757a-194e-4dd0-a1fa-496f1c076f40/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/5c22757a-194e-4dd0-a1fa-496f1c076f40/
SH256 hash:
03b33dc314e4e48df7f4268c06da860e4f9e2a6440d22c05a5ffe40b10b7b54e
MD5 hash:
e539377f7742afed7dcc4aa5cc4f1691
SHA1 hash:
ce34e5376247792e764b9e57fab51e4df6854997
Link:
https://www.unpac.me/results/5c22757a-194e-4dd0-a1fa-496f1c076f40/
SH256 hash:
36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d
MD5 hash:
4efd01c55f26961a557d97829061d09d
SHA1 hash:
cb0dfb30c5769cfe3a9b048948b9719b0e50c2fc
Link:
https://www.unpac.me/results/5c22757a-194e-4dd0-a1fa-496f1c076f40/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Trojan
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar d9db884caac1922f00afd512ecb4af861d5e1df4fbdd1bca48a1606178769739

AgentTesla

Executable exe 36aa5f316ccbdec9f0945c33c142563d4bee16b3cab1bd8f17cea4d30594cf0d

(this sample)

  
Dropped by
MD5 cf0b403131fb2f739bdf135f58131ee3
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75178/
  
Dropped by
SHA256 d9db884caac1922f00afd512ecb4af861d5e1df4fbdd1bca48a1606178769739

Comments