MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc
SHA3-384 hash: 81c71e7008d28f5c2fd324f0b9aa97f5c468a27256067c1a12860e2f8c4049539119c485e17bfcac68e500e53f465f0d
SHA1 hash: 60bd4dfcbb9c1af60b2458b5ef51876b6d65af72
MD5 hash: 80af446a6d770c1d4f4b7529ffebf0e3
humanhash: massachusetts-pluto-high-leopard
File name:doc 101020201811__00940010.xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:804'864 bytes
First seen:2020-11-18 12:58:58 UTC
Last seen:2020-11-19 00:25:53 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 5113dec31b8616dbad783836e7188783 (11 x AgentTesla, 2 x HawkEye, 2 x Loki)
ssdeep 12288:+l1aMljBMKnw6WJoGPb5FUoRAVyImHlawr0J5XyC9l:YJCKxWfPNFwyIUlawYvd9l
Threatray 3'060 similar samples on MalwareBazaar
TLSH 26059E23B2A15877C12316788CCB5BB89D2EBED0391B79872BF91D48DF3D2813916197
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: monoaydinlatma.com.tr
Sending IP: 156.96.59.36
From: PINAR GEDİK<pinargedik@monoaydinlatma.com.tr>
Subject: Fw: Teklif İsteği
Attachment: doc 101020201811__00940010.xls.z (contains "doc 101020201811__00940010.xls.exe")

AgentTesla SMTP exfil server:
mail.xtnenergy.gq:587

AgentTesla SMTP exfil email address:
funds@xtnenergy.gq

Intelligence

File Origin
# of uploads :
2
# of downloads :
116
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/541074
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-11-18 12:11:56 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=qblykhhucbkhrqqdskksqnsshphkdag6p3lyer6en7va6xere7oa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
286b416351f4ca6cc215c58692af9be6b9f4eb54c4641160e2a31dfd16c43ec7
AgentTesla
4f7a4d62b491af06b4516daf257d1fa797ba9e065f452ce0d71e3b6f0fbc6a45
AgentTesla
60433e0a1c1fb088c5be37ca9760486fd17bb99b848817880b5601e77150e1c8
AgentTesla
68d0f7126ce746301b1b43bb0e65c8809fd5883224d46575b53cc32b3fec570f
AgentTesla
7b87995c3121e530fa11c32b58690f875c58f5dec133c5cb57c22fdf4ee237bb
AgentTesla
b2ec3cbaca68c03cabfbd50b7b94908971b26a52e5eacd80d499844944929c1b
AgentTesla
b61fd6fa3079321e5231c3bdea1d4894b2de3fb8a8e38c2cb2c3d4754a7da86d
AgentTesla
bf487ff7cdbbd998b633b1858a939d8c808bcce65ab9937695475b39deea70a8
AgentTesla
c6d32cce563241de2f9137ed8a1812a2413cbed6f84d4d6870202fa0fcd1e01e
AgentTesla
deb787123698fbdeae3c8561b4c7fef3e01ac5443519661c644608dc9df85867
AgentTesla
+ 3'050 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan upx
Link:
https://tria.ge/reports/201118-7vglmsv5zn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc
MD5 hash:
80af446a6d770c1d4f4b7529ffebf0e3
SHA1 hash:
60bd4dfcbb9c1af60b2458b5ef51876b6d65af72
Link:
https://www.unpac.me/results/f25abb22-5afd-46d4-a024-ab01d95637aa/
SH256 hash:
094db402f71672ed3bd9c55f2ad487dd467fc8693492eb40ecad1569813250ed
MD5 hash:
54e6dd4fe02371981ea59f724252c078
SHA1 hash:
12759cd85589ae414627776d739ab4364ada4b10
Link:
https://www.unpac.me/results/f25abb22-5afd-46d4-a024-ab01d95637aa/
SH256 hash:
c82e4240fc606b9f38ab0b1fd6cb39d9935cff9cae0144245575775153699b4c
MD5 hash:
23a510e7b20d666c361ee5937a573c5f
SHA1 hash:
93a2ca5d3d4546a52c8319b4334306450e90ea38
Link:
https://www.unpac.me/results/f25abb22-5afd-46d4-a024-ab01d95637aa/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 416f0c351936426ea5c6b7d2d2bbfc9489f74fe0baac732cdbe62f742387c258

AgentTesla

Executable exe 8057851cf4105478c20392952836523bcea180de7ed78247c46fea0f5c9127dc

(this sample)

  
Dropped by
MD5 402008cbb074b74f185a2bffe818bb78
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 416f0c351936426ea5c6b7d2d2bbfc9489f74fe0baac732cdbe62f742387c258

Comments