MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8
SHA3-384 hash: d1eea0e9d8d34462db3719091ab9e96df7be3837f9cdfc079756517bcf4993904399c9b2e35fb26fec9b8b9b89ca1782
SHA1 hash: 6c6c71444539426930cc89ea8aa439925e8e2f24
MD5 hash: 1767d2ef68957d2d9ca7c7dc1d057cc3
humanhash: massachusetts-maryland-tango-stream
File name:JESEE FRIED FIRDAY.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:696'832 bytes
First seen:2020-09-25 08:05:41 UTC
Last seen:2020-09-25 08:45:32 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash a9966721868f2b28eaf1fc486a46710f (3 x AgentTesla, 2 x Formbook, 1 x AZORult)
ssdeep 12288:kxojH5jdL/KyCR7PqRo2YQLa3RFC7cvoLTKmhcF9x0Rba53:tljBKnRIIQOhKcCTKZsa
Threatray 1'756 similar samples on MalwareBazaar
TLSH 33E49F27E2E05537C177263E8CCB5B78AD2DBE10FE2469462BE4DD485F38680742929F
Reporter FORMALITYDE
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
106
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65729/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/474796
Signature
Allocates memory in foreign processes
Antivirus / Scanner detection for submitted sample
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 289847 Sample: JESEE FRIED FIRDAY.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 30 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->30 32 Antivirus / Scanner detection for submitted sample 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 9 other signatures 2->36 7 wscript.exe 1 2->7         started        9 JESEE FRIED FIRDAY.exe 2->9         started        process3 signatures4 12 JESEE FRIED FIRDAY.exe 7->12         started        46 Writes to foreign memory regions 9->46 48 Allocates memory in foreign processes 9->48 50 Maps a DLL or memory area into another process 9->50 52 Queues an APC in another process (thread injection) 9->52 15 notepad.exe 1 9->15         started        17 JESEE FRIED FIRDAY.exe 2 9->17         started        process5 signatures6 54 Writes to foreign memory regions 12->54 56 Allocates memory in foreign processes 12->56 58 Maps a DLL or memory area into another process 12->58 19 JESEE FRIED FIRDAY.exe 15 2 12->19         started        23 notepad.exe 1 12->23         started        60 Drops VBS files to the startup folder 15->60 62 Delayed program exit found 15->62 process7 dnsIp8 28 ftp.airplpetech.com 66.147.239.119, 21, 49731, 49732 HOSTROCKETUS United States 19->28 38 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->38 40 Tries to steal Mail credentials (via file access) 19->40 42 Tries to harvest and steal ftp login credentials 19->42 44 Tries to harvest and steal browser information (history, passwords, etc) 19->44 26 C:\Users\user\AppData\Roaming\...\FOLDER.vbs, ASCII 23->26 dropped file9 signatures10
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8/
Threat name:
Win32.Trojan.LokibotCrypt
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 00:55:59 UTC
AV detection:
26 of 29 (89.66%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=khdnllctanaxtpf6zfzgr365mzpta2jdoyue73kxxmsx6qx6c7ea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
4ae1deecb4b64f1e1b13b215c6b426cd887f1f5b072fb153916373766191d5df
AgentTesla
68c67f845d8c48aa74901553deb7cc31b7f2a27954d75e4f67093c70f81eb9d6
AgentTesla
72ce6d54e53bef9b40b4bc65658af46c49cbc340e87aa8ed7a4d0ef574a1e45c
AgentTesla
a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd
AgentTesla
bc2e03ca292da305602c8755453fa87073810a6359f2ec9a0935fe3bb51ef886
AgentTesla
c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd
AgentTesla
cf22a4ba35e94ec83bdf1aec7b4422009aa33f7c6a2c707513d7b1a9eafb368c
AgentTesla
d325caa897cf6cbf6bbc4f627e39d2376d9f6a3a37c17f91d670aec577d01ea0
AgentTesla
eb8ac6c18675770e603ff7b7c3076cab5bafda10a3634d50d575185d04506708
AgentTesla
f684db86a351d46abae72b79e26a108b75365f2c4819818f0e353f94326042ea
AgentTesla
+ 1'746 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx keylogger trojan stealer spyware family:agenttesla
Link:
https://tria.ge/reports/200925-gavpy1zpr2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8
MD5 hash:
1767d2ef68957d2d9ca7c7dc1d057cc3
SHA1 hash:
6c6c71444539426930cc89ea8aa439925e8e2f24
Link:
https://www.unpac.me/results/9df940d7-2a9e-4449-b7fc-4ac59274b8b4/
SH256 hash:
15af95628be624509749f4a673d8fcf608120193354daefdf2c17ce6df90f534
MD5 hash:
7d106efca2075e995c05d869b4c80628
SHA1 hash:
ef32c8fbbbcea1954ca2c797bbe824d6a42beff6
Link:
https://www.unpac.me/results/9df940d7-2a9e-4449-b7fc-4ac59274b8b4/
SH256 hash:
64df0551ccea9e7b644019e29fbf789eea81ce7dc3c52c2ae4181caf080b17fd
MD5 hash:
24fc57c2b79096b68b11cad06c51cede
SHA1 hash:
d4f9628cb71278b90d1cc702ef5b496a18077691
Link:
https://www.unpac.me/results/9df940d7-2a9e-4449-b7fc-4ac59274b8b4/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Tinba
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/65729/

Comments