MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4c20e0dd862d01aeec7f5db6abd1fa483b0f98ecf5cb546bbf0d51d8cd54b299. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4c20e0dd862d01aeec7f5db6abd1fa483b0f98ecf5cb546bbf0d51d8cd54b299
SHA3-384 hash: ebcd3e38fc28cf379a43371852f0d87b464f4c6ee0d02f6f7d09fc0862d55c3bdf0fbc56bcfc7c986298212956e676f0
SHA1 hash: 378508d5f8cc11a3e92b7c1fe44c31aa3371d026
MD5 hash: ee4ae4eb532e3c0b39a253777f0b5da3
humanhash: golf-pizza-failed-michigan
File name:proforma invoice_pdf.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:601'600 bytes
First seen:2020-11-04 14:21:03 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'638 x Formbook, 12'244 x SnakeKeylogger)
ssdeep 12288:/JmM/GoUVbAijpygIBkXqHrR7lwjTdIwjKGVAGA+wb6K:/JlOPaiVImXqtxATAGA
Threatray 939 similar samples on MalwareBazaar
TLSH 68D4D0B1174C9F51E13F77799120541053F5B882E732DA1EFDA581CE2AA2F858B73B12
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
83
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/82922/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.424.1113.5434.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Creating a file
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/520238
Signature
Found malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4c20e0dd862d01aeec7f5db6abd1fa483b0f98ecf5cb546bbf0d51d8cd54b299/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-04 02:34:51 UTC
File Type:
PE (.Net Exe)
Extracted files:
15
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=jqqobxmgfua253d7lw3kxup2ja5q7ghm6xfvi257bvi5rtkuwkmq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
3f43734203085807cedfed30238b76d87142676522a4ba35270c3da7a26d2d6f
AgentTesla
64c4d370517d05b2add478ca85855bf94c4c51ed05e9e02a92afecc04459ea38
AgentTesla
6609cf9b0aefabaaf1bccc04237e6ff32315960166bf4aa2ff5372cfb51c80d3
AgentTesla
70043ff6d416c9ac20ada0e4b9031e5d55d2733a96eb4ddf3ec327c4b8abd8d2
AgentTesla
9d9e3278180f9d8b038c943eaf74a91002f30ff456bc7e8dfef40ef1a4e8fb4a
AgentTesla
a20e29b157ca333fd7f6503315be7f41df98bf15172c0a8f6cab83451945effe
AgentTesla
a98127f9a0d540a5aa091013a1134d8a8434e50b7f8e8b959ddaac0f45feac04
AgentTesla
d55a3bea3809a1aacc17fbd3e4a1c00e31d326eb12ed07e9ca2215cff41a3bf3
AgentTesla
f00571fb0c082a4a7d66d08af1628b4be7515a74e153adee51db8136ed5918ce
AgentTesla
fa2bcbff57b3c111ea69b6f47cb4f39c4111b124ef97e3ee00347a175f67e93d
AgentTesla
+ 929 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201104-rjbfw5svf6/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
4c20e0dd862d01aeec7f5db6abd1fa483b0f98ecf5cb546bbf0d51d8cd54b299
MD5 hash:
ee4ae4eb532e3c0b39a253777f0b5da3
SHA1 hash:
378508d5f8cc11a3e92b7c1fe44c31aa3371d026
Link:
https://www.unpac.me/results/9b20f311-c3b4-4562-b922-bb52ffb5cdb7/
SH256 hash:
31225f6996a1b37252122876b92751ec39e292a3a193b78d8566cd2f17835ee5
MD5 hash:
bf87cbcd7c46383ae57732dfcc5135fa
SHA1 hash:
48cb41f736d8095ab39cda10ceb22c06379d7330
Link:
https://www.unpac.me/results/9b20f311-c3b4-4562-b922-bb52ffb5cdb7/
SH256 hash:
05b84baf565f597b5af069307b442674488339054f82b061dc81c2bf751d0ab9
MD5 hash:
eb40c5c288a1f9abae1fe44a9ac0f237
SHA1 hash:
73d38baae80474ff4c76bbf31540bc5d6a230299
Link:
https://www.unpac.me/results/9b20f311-c3b4-4562-b922-bb52ffb5cdb7/
SH256 hash:
801ebd71727616c45360abf1bf918ce0528f347bcc013568a45c262d4ead85ed
MD5 hash:
d890934ac88d5f07d661d3ca8fd5fbf7
SHA1 hash:
c5fce4b7177df4af33c389adf7f88d88a72e2f0e
Link:
https://www.unpac.me/results/9b20f311-c3b4-4562-b922-bb52ffb5cdb7/
SH256 hash:
bac5797bde4b2810766a40d95bcdb825ac5b395fcbadd139daa19a44a6cdc049
MD5 hash:
a92cc1f6e0a2742350dfda6726db14c0
SHA1 hash:
e5404e3ed46498deb8ad8966a774540c2b8e9c1e
Link:
https://www.unpac.me/results/9b20f311-c3b4-4562-b922-bb52ffb5cdb7/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/82922/

Comments