MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b
SHA3-384 hash:	aadaf19ac6280a52d74e7bb640a3aeaf99c3e7701f4f46f17d1a80a3e998392bb036459e2e2cd09e898d3325cea066f8
SHA1 hash:	ae242d8709f588cc91f9ab814a5efeb6c1a160bc
MD5 hash:	2689e0bd727c85849f786822b360cd28
humanhash:	lamp-bluebird-red-south
File name:	starx.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	731'136 bytes
First seen:	2020-09-16 12:26:39 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	c2a7364bfb60f494f5befb8ae472c661 (8 x MassLogger, 4 x AgentTesla, 1 x AZORult)
ssdeep	12288:24jGha4fxBa4wlDKffkMZvhxgnjeQZbzO/p1nZeeIItJ8HzYsX8q:2KlaBa1sMMZvIniOzOh1nwIQH0G
Threatray	1'552 similar samples on MalwareBazaar
TLSH	B0F49D12E2FC4433D1732A3D9D2B57749825BD133E38984B6BE4ED4C5F396817A252A3
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

100

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/62050/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.BackDoor.SpyBotNET.25.27015.23593.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Sending a UDP request

Using the Windows Management Instrumentation requests

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/467799

Signature

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b/

Threat name:

Win32.Trojan.LokibotCrypt

Status:

Malicious

First seen:

2020-09-16 11:27:35 UTC

File Type:

PE (Exe)

Extracted files:

AV detection:

27 of 29 (93.10%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=g6scalte7chpskhuntnqkzjve6qsagvp7vbraixoz3h7de2ikfnq._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

AgentTesla

3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b

AgentTesla

4d6a4c556af5a4e4a05ca5aadb976af1f792bb509cd17cf26aa2ca3081317e3c

AgentTesla

7b4a3076004fb5f7f9b88f3e0d6bd24caa597393bbfa614c2d9f6e028846a957

AgentTesla

a2e301c703d79b6d39f84d4135ff8bb2681500b1da30d034285453d5cb493a55

AgentTesla

a921089f3327d511043c7feffed9985bfb3a7ca5ee43e0724c344ad8cb63fbf5

AgentTesla

b98ed6a71c93bc3722112643bea2bbe8767e016d807e0463266ee2fd47ad9e80

AgentTesla

c18d20986c78642ced7ac827d0436033e931d6bfad38b70ab4473cea1da792a2

AgentTesla

cc5b616ee151f836fb52d686f978123c5427d27f738baaea8583e791f9742686

AgentTesla

d0ced70a4b700dc5e0905bf3743a224ac4722139d7507e367c32880c72ecd048

AgentTesla

+ 1'542 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200916-gmgzwkzgc6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/62050/

URLhaus

https://urlhaus.abuse.ch/url/527357/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample