MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c
SHA3-384 hash:	dc879fd27d625fa2bd4c00f946315c48d57e3586a80a08dd140d7e96d3d18a071807b34ade1658832ad3bcf301ca8323
SHA1 hash:	4f1206565d558337b2c6cbc6e21cd86fdec44007
MD5 hash:	c595354c2875805d9b2a5eae08609b2d
humanhash:	oklahoma-violet-floor-helium
File name:	PO copy.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	705'536 bytes
First seen:	2020-09-16 05:47:05 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	578301c193d82352087fd46ebb1a924e (8 x MassLogger, 3 x AgentTesla)
ssdeep	12288:c59M/CUUzFaobCO4kBSzCg6UPH//tg+QZYhSuHX8kjxepix4088:crYUhzRsCg6Yn++QKSuvleG
Threatray	1'522 similar samples on MalwareBazaar
TLSH	ADE49E23A1604833C052253D8D1B57B89B25BE113D2B9C46EFF9ED4C5FBB68076EA093
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/61486/

Detection(s):

PUA.Win.Adware.Slugin-6803969-0

PUA.Win.Adware.Slugin-6840354-0

SecuriteInfo.com.BScope.Trojan.Wacatac.12322.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Unauthorized injection to a recently created process

Using the Windows Management Instrumentation requests

Sending a UDP request

Reading critical registry keys

DNS request

Sending a custom TCP request

Stealing user critical data

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/467479

Signature

.NET source code contains very large array initializations

Antivirus / Scanner detection for submitted sample

Contains functionality to detect sleep reduction / modifications

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

May check the online IP address of the machine

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Suspicious Double Extension

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c/

Threat name:

Win32.Trojan.LokibotCrypt

Status:

Malicious

First seen:

2020-09-15 10:37:04 UTC

File Type:

PE (Exe)

Extracted files:

129

AV detection:

44 of 48 (91.67%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=iplzm5qydckehj3nlarjaoxgcm6e334qwxljlmjyvslgphia3b6a._file

Verdict:

malicious

Label(s):

hawkeyekeylogger

agenttesla

AgentTesla

165a1197676a6b92b0086bbdb79a3b615c83ec9d686449b934c4475905608b2a

AgentTesla

1cf5e8d0a8bcf5fde41e81d015c9b3c517a94401de7834d3644d0a4e5c90afbd

AgentTesla

25f63850c92faee81eaef4dfcf530a5e72689597d0e2b83b3e444e6a6d3ccce0

AgentTesla

48340f28d380e0e6e43850ac870aa0eae6b6fe06bc1db533cc548c2e5bbc9091

AgentTesla

5e0b3550098aeaef4722fe9d3299c218e399fb9d379c04336d70bd1be58f61d1

AgentTesla

718fc86c95456f531fb7ff1ab7d313376cb3db0ed2ef0469b175d1156659845a

AgentTesla

a921089f3327d511043c7feffed9985bfb3a7ca5ee43e0724c344ad8cb63fbf5

AgentTesla

b88b4b4716bc914572c1c9711d2d620ee64f037b0b2cc8c8075f3d7777448925

AgentTesla

d19f7c46b3fa82c6f7902bdc4679d13f9933f72c2826e817bff08e7d0869a92c

AgentTesla

+ 1'512 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

upx spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/200916-3k4k9awn7n/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Looks up external IP address via web service

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

UPX packed file

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Lokibot

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z b23c81306e766dd775be753e30fead38c39f021c83cb12585040d16947fef889

AgentTesla

exe 43d7967618189443a76d5822903ae6133c4def90b5d695b138ac96679d00d87c

(this sample)

Delivery method

Other

Dropped by

SHA256 b23c81306e766dd775be753e30fead38c39f021c83cb12585040d16947fef889

Cape

https://www.capesandbox.com/analysis/61486/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample