MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc
SHA3-384 hash: 845ad26d5e452197053b41d20a57fe78d6949d10129b487523f45e2d2211b80144af20d2fe4a795e5c89e1d75b185143
SHA1 hash: fd5cbe0bf0a87159f13e3144fe9eed018ee3753b
MD5 hash: cec34286d1e252676fb44565ddb14663
humanhash: ohio-winner-seventeen-crazy
File name:6u87657956454788order8976866.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:468'016 bytes
First seen:2020-10-23 11:35:36 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:Y0OVHgeRnvIvFNWsfe7cfb0DbO8uezUzJBfJXAua:DKRvIvK37lnO8ueGJBfJXAx
Threatray 733 similar samples on MalwareBazaar
TLSH 79A48C5DCE2BD827FCC87BB6F86099EED72499682C13F306150A1D8DDD5D3D019232AA
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: ko
Sending IP: 185.236.231.232
From: Root User <root@localhost>
Subject: PO# 564578697887 deliver before 30th December
Attachment: 6u87657956454788order8976866.zip (contains "6u87657956454788order8976866.exe")

AgentTesla SMTP exfil server:
mail.fetichalga.com:587

AgentTesla SMTP exfil email address:
ko@fetichalga.com

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/75027/
Detection(s):
SecuriteInfo.com.ArtemisCEC34286D1E2.10549.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %AppData% subdirectories
Unauthorized injection to a recently created process
Creating a file
Creating a window
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
68 / 100
Link:
https://www.joesandbox.com/analysis/508059
Signature
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc/
Threat name:
Win32.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 11:01:44 UTC
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=iwcqkhogw44tevo3da4kntwv4uaf3klx5j56gmwmmvalz7qdph6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
10ef779276119f5e40406b61ef84c14da34494f1f839d1047f65961f053baf2b
AgentTesla
46df88abb8b7f783add8e2688ed3fc2632020fc30f6a87172264a4f434af2524
AgentTesla
493ba8398eed500e3af5e0ae2ea45fa5bfdfbc6371bf67a17ee20c050c117927
AgentTesla
5017799e48545886ac896d038e3e9706fa65fb8a8644be0879279fe608dbdf66
AgentTesla
57f9de709f4ec55a5dc4cc77a99997b4c5617e769b2e68e301645b7913d6891a
AgentTesla
72abc3324eb1018186ae67c74ff5a7f319360a80a2f0887cb75e6dbd86a2ebcc
AgentTesla
81a408670b2a419c4383f47f1bdc1bf040e8070e8f4eaa734173478a6ee2347c
AgentTesla
973ebbfe874f302c2a1becf596b98ee15598919b1c86dcb9c4b078d1b4535b38
AgentTesla
ba5cf0e14767afbaf1ef4310a5a7a55e152b7c54507a1b567133cdf42493629d
AgentTesla
fee2f1713e8dc0d04fee8d3b1a7c58db555aa8fd37f24145e872e57500b7071e
AgentTesla
+ 723 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201023-ht1g4jzppa/
Behaviour
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
32a5b12cfb371f142ee0f4510aba0b7da07970163dd61c8c1e09df657fb5858b
MD5 hash:
9054b9f517c625d7ad09177923070957
SHA1 hash:
cf29d52ecd883eb871b73dd08e19bf86a74460d0
Link:
https://www.unpac.me/results/dd2c49a0-0f4f-4559-aa10-a6d68392938b/
SH256 hash:
defad4c9399613a28f8cc716ed09714de2bcca437859e1bebeb1cb63f6bc8b83
MD5 hash:
ecf0b4591a8070427f329b9abd98c9fd
SHA1 hash:
6e6a99a06d6f79f59ead12628fa75dac87d1aee6
Link:
https://www.unpac.me/results/dd2c49a0-0f4f-4559-aa10-a6d68392938b/
SH256 hash:
18f9af8607e5313ab24571677006e89ed779256e917cff6398d081f49ed3db48
MD5 hash:
8aa7beb7f52c26f929e88ad1ad6f9c70
SHA1 hash:
c08472f99689d3244d497f6019e2f3488a0d925f
Link:
https://www.unpac.me/results/dd2c49a0-0f4f-4559-aa10-a6d68392938b/
SH256 hash:
4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc
MD5 hash:
cec34286d1e252676fb44565ddb14663
SHA1 hash:
fd5cbe0bf0a87159f13e3144fe9eed018ee3753b
Link:
https://www.unpac.me/results/dd2c49a0-0f4f-4559-aa10-a6d68392938b/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 5c9b550115681c37f855c27858af8b16331f98c008d2e385fbbc77e266cea2fa

AgentTesla

Executable exe 4585051dc6b7393255db1838a6ced5e5005da977ea7be332cc6540bcfe0379fc

(this sample)

  
Dropped by
MD5 8b5d078938cabd3c460292b150fc4e80
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/75027/
  
Dropped by
SHA256 5c9b550115681c37f855c27858af8b16331f98c008d2e385fbbc77e266cea2fa

Comments