MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4ceac7ec3850ec9af2132d4786ab4e0c9ca48fe79a39490b86d7ed4ab217e6c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4ceac7ec3850ec9af2132d4786ab4e0c9ca48fe79a39490b86d7ed4ab217e6c4
SHA3-384 hash: 1a4a2c4489130d7ff45aeb09b2fd6faf3726d57a55e8ffb0629263550440a5f1cc65e547e8c3aa53fd12ca4606acf462
SHA1 hash: 14377e7404ffa22b7e53a0316575050bb12e71e2
MD5 hash: 3cc7698a8d1aed2f196486c18f2e8d35
humanhash: moon-two-pluto-kilo
File name:Print_File_2020_10_27_001,PDF.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:648'192 bytes
First seen:2020-10-27 13:03:04 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'663 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:fV/4rjvGiO9C6EUgmvUNCxsjolDoBSFBhTGBT3Y3VlnRwYuL7o:IO9C6E2MNCxdtoBSThTGBT3Y3V9RwHk
Threatray 378 similar samples on MalwareBazaar
TLSH 67D4AFB23D6164EFCA6F0E71A46AD2C0B9F616CA3BE0460D71AF130C0D15A27971B75B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: [37.46.150.126]
Sending IP: 37.46.150.126
From: Greg Bardin <sales@gommcp.com>
Subject: Order List (PO# 081928)
Attachment: Print_File_2020_10_27_00,PDF.zip (contains "Print_File_2020_10_27_001,PDF.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
82
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/79932/
Detection(s):
SecuriteInfo.com.BehavesLike.Win32.Generic.jc.7888.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Sending a UDP request
Creating a window
Creating a file
Running batch commands
Launching a process
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
63 / 100
Link:
https://www.joesandbox.com/analysis/513640
Signature
.NET source code contains very large array initializations
Creates an autostart registry key pointing to binary in C:\Windows
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Add file from suspicious location to autostart registry
Tries to detect virtualization through RDTSC time measurements
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 305956 Sample: Print_File_2020_10_27_001,PDF.exe Startdate: 27/10/2020 Architecture: WINDOWS Score: 63 32 Multi AV Scanner detection for dropped file 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 2 other signatures 2->38 7 Print_File_2020_10_27_001,PDF.exe 1 8 2->7         started        11 pcalua.exe 1 1 2->11         started        13 pcalua.exe 1 2->13         started        15 OpenWith.exe 2->15         started        process3 file4 26 C:\Users\user\AppData\Roaming\hhng, PE32 7->26 dropped 28 C:\Users\user\AppData\...\AgileDotNetRT.dll, PE32 7->28 dropped 30 C:\Users\user\AppData\...\AddInProcess32.exe, PE32 7->30 dropped 42 Tries to detect virtualization through RDTSC time measurements 7->42 17 cmd.exe 1 7->17         started        19 WerFault.exe 20 3 7->19         started        signatures5 process6 process7 21 reg.exe 1 1 17->21         started        24 conhost.exe 17->24         started        signatures8 40 Creates an autostart registry key pointing to binary in C:\Windows 21->40
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4ceac7ec3850ec9af2132d4786ab4e0c9ca48fe79a39490b86d7ed4ab217e6c4/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-27 08:20:42 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jtvmp3bykdwjv4qtfvdynk2obsokjd7hti4usc4g27wuvmqx43ca._file
Verdict:
unknown
Similar samples:
23a9fcae2ce9752788c43abf7c44690775f8f20b22c7ad42d7f52c4202028d4c
AgentTesla
2565e3190558400fb85b0389e7aadf850a4c32d2b7b7d09e37820b8ad361c39a
AgentTesla
395af6b7f6bc4e92938f11552d83d444b18e27708796de86396b91c3898adec4
AgentTesla
5fb23e7a8d39bc15fc97d7f216e8806bff57c1281ec73b44d74272e17dc0105b
AgentTesla
8c6c41d8e0f478b1be11b938bf83066e8cf7a8b294c18c91e0b2570f464bc6d2
AgentTesla
91de70857ce9dbf596a67b2abad7552a467fcc2a155d349799261fb8585e6c18
AgentTesla
95ccbdefafb7f4b5e2a505d3681803940a8fa7a5cae06ee56036009b4253c5ac
AgentTesla
a56c4971d725640fe582ff4f884612d1a59b18d60206099a9c8099168a3c446e
AgentTesla
b938308e908f642f82eb2cfd683a86fcfb09d525e865810dd5af635cfabd315f
AgentTesla
ccd1a40e599ad9f364ca70ef3d02b4850901fdeaddb5c9a4b66405e2bccc9ad2
AgentTesla
+ 368 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
persistence
Link:
https://tria.ge/reports/201027-zxjdfvrs5x/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Adds Run key to start application
Loads dropped DLL
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4ceac7ec3850ec9af2132d4786ab4e0c9ca48fe79a39490b86d7ed4ab217e6c4

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 0a7dac92a925f3cacdbf8db4c70e8cf35231edd0977f48d9784f1d9ea05d4261

AgentTesla

Executable exe 4ceac7ec3850ec9af2132d4786ab4e0c9ca48fe79a39490b86d7ed4ab217e6c4

(this sample)

  
Dropped by
MD5 a9256fa29e50227b0ace481f39f10126
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/79932/
  
Dropped by
SHA256 0a7dac92a925f3cacdbf8db4c70e8cf35231edd0977f48d9784f1d9ea05d4261

Comments