MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 10

Intelligence 10 IOCs YARA 2 File information Comments

SHA256 hash:	36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b
SHA3-384 hash:	7559467aef8b37409e17a0b1a3775474fc477b33b47ff61acb47925f1470a02db3dc4d872e9afb3c0469f61b98d6456d
SHA1 hash:	754ce3dc93b2a86683b8bba56b2782305d6063cc
MD5 hash:	1b668d86319698330480952580aa7ea8
humanhash:	william-autumn-oven-bulldog
File name:	Williams Order_pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	431'104 bytes
First seen:	2020-12-09 06:32:44 UTC
Last seen:	2020-12-09 08:38:48 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fe19725c720b3564577348fd32bb4f52 (4 x AgentTesla)
ssdeep	12288:t9noE3YJZutl8HP1w7YNFO7L1Ei71Ac5V:tN3YJZuteRNFAL1Dyc5V
Threatray	1'810 similar samples on MalwareBazaar
TLSH	2494F101B9E94030E0B7537B1460E6620ABEFD3A4E665E9F6BCC4D8D4A750D0A729F73
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

133

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

1b668d86319698330480952580aa7ea8.zip

Verdict:

Malicious activity

Analysis date:

2020-12-09 05:09:25 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/12a854be-d0ff-4688-9d7f-df7b68218c09

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/107375/

Detection(s):

SecuriteInfo.com.Artemis1B668D863196.24621.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Unauthorized injection to a recently created process

Creating a window

Using the Windows Management Instrumentation requests

Result

Gathering data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/558647

Signature

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b/

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g2wrotobegpevpu7vo6bhdsh4imoqn2bcapwqsg6huc26zjissfq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

1b309fba5ed6a5cca9df11aa42633e07a7c64d3b4474849a0ede645dde5c0a50

AgentTesla

559599c95e2829cf5c4e8160a0b0af34e8f0d884e86a5457069e8f3342a9ed99

AgentTesla

7d69ecaf108320a941b846030a0438843d5cc4ea8067807b7db4b783c1fffa60

AgentTesla

82771bd2f4647b2f1035af9e1b84412f0997cf2d12a495f2c9db58a9278913cd

AgentTesla

bee3c64a4d3862a54f11a05303fb39c9768891841673269e477d0d87ec1862e2

AgentTesla

d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f

AgentTesla

f0999846e27d7158bd06a0c2c141c3dbfd010d3cd4a70c0edec48504539888b4

AgentTesla

f104dda9f5fb6e0f5659843ce1698c2da434fe2cd9e986a4cd410c0473ca6cf6

AgentTesla

f70814e5323848f5ef921f93e8a1a9bd2e99dec11777004c59bf989093707956

AgentTesla

+ 1'800 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201209-s8ampth1yn/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Unpacked files

SH256 hash:

a212df313f79f794aa87b923e87af9d5947b9e204af1beb4b8d7f82c3a44a0ce

MD5 hash:

47e91c4772cbb29f602ad3fb4f18d119

SHA1 hash:

4fe1eb3c5f9267eba1fdfa4e5f9859d324a132b1

Link:

https://www.unpac.me/results/c94fcde7-f229-46bf-baaf-7a3c13cd95de/

SH256 hash:

f35a004553493f66c69f59aa13f7f14c67752824bf5654d9dd58c5efb3fc1c76

MD5 hash:

55a8e0e10577d52d7290e29224a23313

SHA1 hash:

c92138098585b2be7fdb7f96872fa3da4e86e6c8

Link:

https://www.unpac.me/results/c94fcde7-f229-46bf-baaf-7a3c13cd95de/

SH256 hash:

36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b

MD5 hash:

1b668d86319698330480952580aa7ea8

SHA1 hash:

754ce3dc93b2a86683b8bba56b2782305d6063cc

Link:

https://www.unpac.me/results/c94fcde7-f229-46bf-baaf-7a3c13cd95de/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Kryptik

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/36ad174dc1219e4abe9fabbc138e47e218e83741101f6848de3d05af6528948b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.