MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab
SHA3-384 hash: 775230cb81c6a8e242726234108c3e909f887fb1636a3a5359692067332eb97bc3ec26b14d09939342d93f9c7e91fa01
SHA1 hash: b8f26047feb800a774458f07610946bf44b2247e
MD5 hash: 9d2bc9fe6fe8ce38ef4b7d9d39f1ad35
humanhash: nine-december-thirteen-xray
File name:PI20080111-Signed..exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:722'944 bytes
First seen:2020-10-05 11:20:20 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 41cd3d95714b0df8060323fdc67b3eba (10 x AgentTesla, 6 x Loki, 1 x MassLogger)
ssdeep 12288:TcAt9L2fndhBK2w3p3z+iqiBZdMuWD9gPP8r7SI8P3Ra:hHqhBFgBg6QSn38
Threatray 963 similar samples on MalwareBazaar
TLSH CBF48D22A2E17433C1661A399CDB6777DC25BE503D28E94A2BE4EC4C5F396813F19393
Reporter abuse_ch
Tags:AgentTesla exe HostGator


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: gateway31.websitewelcome.com
Sending IP: 192.185.143.38
From: Purchase Co-ordinator <lina@cqs.com.vn>
Subject: payment.
Attachment: PI20080111-Signed..rar (contains "PI20080111-Signed..exe")

AgentTesla SMTP exfil server:
mail.ceeit.co.za:587

Intelligence

File Origin
# of uploads :
1
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Gathering data
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481280
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293081 Sample: PI20080111-Signed..exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Multi AV Scanner detection for submitted file 2->34 36 Yara detected AgentTesla 2->36 38 3 other signatures 2->38 7 PI20080111-Signed..exe 2->7         started        10 wscript.exe 1 2->10         started        process3 signatures4 40 Detected unpacking (changes PE section rights) 7->40 42 Detected unpacking (overwrites its own PE header) 7->42 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->44 46 6 other signatures 7->46 12 notepad.exe 1 7->12         started        15 PI20080111-Signed..exe 2 7->15         started        17 MpCmdRun.exe 1 7->17         started        19 notepad.exe 7->19 injected 21 PI20080111-Signed..exe 10->21         started        process5 signatures6 48 Drops VBS files to the startup folder 12->48 50 Delayed program exit found 12->50 23 conhost.exe 15->23         started        52 Writes to foreign memory regions 21->52 54 Allocates memory in foreign processes 21->54 56 Maps a DLL or memory area into another process 21->56 25 notepad.exe 1 21->25         started        28 PI20080111-Signed..exe 1 2 21->28         started        process7 file8 30 C:\Users\user\...\PI20080111-Signed..vbs, ASCII 25->30 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 10:53:39 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=mgq424wc5knvppmo5gaueb43wvt2c6nt46myalbjho2nqcrfagvq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0c2bb30542c1eccedf03c4d33aeed1351ef6415397d90f63a42f3b78a0371516
AgentTesla
15b7b8d7605de957a8bec1830cd04361e5e42d50b0e3fd42c7a15bb16b3c56ae
AgentTesla
27efe7f981e88e619d7a59df155f8b9f7c7bdcc0f52b08de1c0cedeaa9e817d9
AgentTesla
3c1f3c4bbc1216d2034ff7138aefa4ce290ad433a96657b443cdb8c485c8854e
AgentTesla
4e0d9011480354268839674ee979b89b902a9672dc5b728c3428bd613ba65154
AgentTesla
627969cbad79a5c75027afefc27dde640f427ab09b96a2511917ba5a7be1b820
AgentTesla
8460f094293c03a18ceb6c57ac1d3073696a2865033462d8006b8b6b1033f76a
AgentTesla
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
AgentTesla
baad571b7bebeb2d292fdff866400947877d8531a7bcbee73635660d73d8cc86
AgentTesla
d2e12e778519b6ea35daaef5eadae95b9f9e7f60676c8ddae1b321e384984c63
AgentTesla
+ 953 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201005-7q3x7xhmyj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab
MD5 hash:
9d2bc9fe6fe8ce38ef4b7d9d39f1ad35
SHA1 hash:
b8f26047feb800a774458f07610946bf44b2247e
Link:
https://www.unpac.me/results/2fde9431-8e77-489b-b6b3-216ef60b9438/
SH256 hash:
2cf2ecb5eb2f916f864160e7a4bb475de2510f3af387b02f89df9c7b50c32856
MD5 hash:
dda5ed86c1ca024edbaba14e81707f30
SHA1 hash:
a7540e78fd165f312332d4b86dda8b8c45e48522
Link:
https://www.unpac.me/results/2fde9431-8e77-489b-b6b3-216ef60b9438/
SH256 hash:
657a40ce8740f920c0b59a94aa1daa4ea779414697c8d8251b06237fa8f67d65
MD5 hash:
29acb0d81673f16b99646d3fa5ab978e
SHA1 hash:
45c04adf819fb04077d795c124566ef3c56ef572
Link:
https://www.unpac.me/results/2fde9431-8e77-489b-b6b3-216ef60b9438/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 14db1f01da3d84aa827f117607d0d86f4fa5a0a0d184f6bbb61d0d73c57320f2

AgentTesla

Executable exe 61a1cd72c2ea9b57bd8ee98142079bb567a179b3e799802c293bb4d80a2501ab

(this sample)

  
Dropped by
MD5 a3c7421d47f49479790b5a82318966a7
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/68140/
  
Dropped by
SHA256 14db1f01da3d84aa827f117607d0d86f4fa5a0a0d184f6bbb61d0d73c57320f2

Comments