MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a
SHA3-384 hash:	2047cc3b61fbe58436285f307811f785843b8c58fc9118bd25b89bd1de722617e4c90971f48b59d2f0d2d3cc1b952e76
SHA1 hash:	219fd67c6c6b4123be2f9c8d35d22a3318ef1335
MD5 hash:	7fc0f82e015beb54208ade3ec31edae0
humanhash:	magnesium-mockingbird-utah-zulu
File name:	cryptedd rock2.0.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	411'648 bytes
First seen:	2020-10-15 11:30:45 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	d16bce0f28023e67cc672637c8231739 (2 x AgentTesla, 2 x Matiex)
ssdeep	12288:9WqTvv4AoX/Y6C3aoXPsgvzpgL4tPvjwGXuFnMDGnYwqmDiBtBTmZ4NX:9Wa34vSpUgtzPvjwGXuFnMDeYwqmDQB5
Threatray	31 similar samples on MalwareBazaar
TLSH	EA94C05966899CB5D52B163440E4E8362D78BCB13EBF8C6B6BC01F4BC8689C11636F4F
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: vps.shvietnam-vn.com
Sending IP: 45.95.169.113
From: info@shvietnam-vn.com
Subject: Re: Quotation Inquiry
Attachment: Quotation0988.SDcan.pdf...zip (contains "cryptedd rock2.0.exe")

AgentTesla SMTP exfil server:
mail.bosut.mk:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/71289/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Launching a process

Creating a window

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/492200

Signature

.NET source code contains very large array initializations

Found malware configuration

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a/

Threat name:

Win32.Infostealer.Stelega

Status:

Malicious

First seen:

2020-10-15 01:21:24 UTC

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=i5qc2a75sys4oijous25xoiz6wd7jzovypxn6wbqjp22qun6vsna._file

Verdict:

unknown

AgentTesla

3153b96e0d31eb2901117a088ffcdbe7e88ba65660171b0f0d43295ea21a27b0

AgentTesla

5b9992f4588e6337ada6ed55a1f39fe4a229f31070a04df1c32d18e3c1b0a0b7

AgentTesla

6989ffe534c2303d7fcc4f5f8b81515a3d30a53ecb395a935bc46391de88b023

AgentTesla

6fa65eef03e50dbaba9ba7729d7d5f4a24d9302c028ec1640db45d47096ab29d

AgentTesla

6fefda6e593a6be7de5636905b89eef16e82b904e95bf88245ee067b84cebbed

AgentTesla

735371cde40d19b56069dc9cbf5c68e138b12bf9b188ef448abb7b36be143eb4

AgentTesla

a132044c5acdf6901718ff3e7b6cee80b0d976f32d8876b2352b08d316feacf7

AgentTesla

b48d79e441c68b5204400caff6884ae11446ea12336a66bdf4b8174e9fe3b8a8

AgentTesla

deb96dddc557e467d8e3ac9bf5ee8fc167f74461d84e823925c0f8c7b33422e7

AgentTesla

+ 21 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

7/10

Tags:

spyware

Link:

https://tria.ge/reports/201015-hx1lvjps92/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Unpacked files

SH256 hash:

47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a

MD5 hash:

7fc0f82e015beb54208ade3ec31edae0

SHA1 hash:

219fd67c6c6b4123be2f9c8d35d22a3318ef1335

Link:

https://www.unpac.me/results/73f7fde6-809c-44b9-961d-8b271c524a1c/

SH256 hash:

4105ea336e7e521439ddad9c557cc9f8fbbb3dc339805606add16244b5efa0f2

MD5 hash:

a2d2f0b2468ec916733f43637ba0e1ec

SHA1 hash:

864bccff271ab37a670a0306a7a185c6d42776ca

Link:

https://www.unpac.me/results/73f7fde6-809c-44b9-961d-8b271c524a1c/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Trojan

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/47602d03fd9625c7212ea4b5dbb919f587f4e5d5c3eedf58304bf5a851beac9a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.