MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 855ede90b105a98fb73558c698000d5732c6a06ae45a181c77b422484bd44285. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 5

Intelligence 5 IOCs YARA File information Comments

SHA256 hash:	855ede90b105a98fb73558c698000d5732c6a06ae45a181c77b422484bd44285
SHA3-384 hash:	c1100157629fc32eced93ff8079a4484cebfc5af53d2dd12dcb78741825a7feacf892c0272d04ba64b8c9a7d89cec5d4
SHA1 hash:	e48e1151e9e9db3904e831fcdfd27f562727a141
MD5 hash:	f6224fedc29f0b52fa3d4e23075eb559
humanhash:	april-thirteen-mars-washington
File name:	RFQ - SANITARY FIXTURES.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	463'872 bytes
First seen:	2020-10-26 14:45:11 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep	12288:BWm03Jq8HcD+jr9JU/yfCXhhKF2kgm9lXjUk:BW/3Uuc6jwyaXU2y5Uk
Threatray	42 similar samples on MalwareBazaar
TLSH	C8A40220B4F53927D79A8FFB20B8B62057F1245E471BFA98D67CB6D046827D04BE0A53
Reporter	James_inthe_box
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

1

# of downloads :

63

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/79194/

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

76 / 100

Link:

https://www.joesandbox.com/analysis/511991

Signature

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/855ede90b105a98fb73558c698000d5732c6a06ae45a181c77b422484bd44285/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-26 08:17:21 UTC

File Type:

PE (.Net Exe)

Extracted files:

4

AV detection:

25 of 29 (86.21%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qvpn5efrawuy7nzvlddjqaank4zmnidk4rnbqhdxwqreqs6uikcq._file

Verdict:

unknown

Similar samples:

2e84cd737632fd14d2ac7bb2ad2fb04e79ddd8c35aa6ef397a52f4c139d1c9fb

66218c59b90a7b21032d19dc4c622476971a55c9d7bcf90a3d76b10319e121e4

7220ad8192fd4399d114f8ba2c6ae7e7686e6a7e464dc4dc427a39609ab81c74

8918cac7def47a7ac76637f485862b03b005d3b9eaa6a6b5c99ec781068ccfb6

925afe447ef8e9cfc9b7d2378cc6d5407f35dd66b7660a91ff31f096838e61da

aa62a7c119d52e630f4cd8611896a896f9d4f0a9cb413f2c34e42df42b623385

bd27a7ed5963244a06f89fca7b3cb60b7abe2b5b4f3a37d4a47cf229bbc9f0de

d68e7a3954206abff1334da5830f566fe1f0b1dfce7d7669cdbe4e4b38fd503b

ecd685994c047195bf8a03b9e4a4ea800b970285806a417a9160153da37f76cb

fc7470a56409ddacd8078e88cc72f63d87a0fdf42d986f13d27a0c961d78884d

+ 32 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

evasion

Link:

https://tria.ge/reports/201026-sqq2xxtkcs/

Behaviour

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Maps connected drives based on registry

Checks BIOS information in registry

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

Cape

https://www.capesandbox.com/analysis/79194/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample