MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 13

Intelligence 13 IOCs YARA File information Comments

SHA256 hash:	85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c
SHA3-384 hash:	f86292b3b32655d0f2a563e495ca47b69bdf0fd23abc77c9449aaaa4086b6db02d5891ee36d408c40b5400b436386f89
SHA1 hash:	6dc6427e57190cca2297aab5ace8d1438abec281
MD5 hash:	bfeb5e335da4ef0f0b24c892aa0023e9
humanhash:	orange-triple-colorado-enemy
File name:	pou753.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'255'678 bytes
First seen:	2021-10-15 08:31:30 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:rAOcZEhvXanVAKO+d/Nx75/E3KvxUsAiuju9Ilf3V:t1iOKX1t/xUsAirS9
Threatray	12'902 similar samples on MalwareBazaar
TLSH	T1A145E003E38544BBD479073545A71F217FBAA8301BB69B6B6BA0493DAE723407E34F91
File icon (PE):
dhash icon	a4a1b4ecd335ff5b (25 x NanoCore, 4 x AgentTesla, 2 x RemcosRAT)
Reporter	GovCERT_CH
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

248

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

pou753.exe

Verdict:

Malicious activity

Analysis date:

2021-10-15 08:33:49 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/6239b985-e96c-4ad5-a343-c843e589fe94

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/197714/

Detection(s):

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file in the %AppData% subdirectories

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Creating a file

Creating a file in the %temp% directory

Adding an access-denied ACE

Launching a process

Unauthorized injection to a recently created process by context flags manipulation

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

formbook greyware overlay packed wacatac

Link:

https://www.filescan.io/uploads/61693c87fd35fe780c4289ca/reports/c9690d64-4a1d-47fc-b1c6-bb54319e1ce7/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/2897bffa-843c-4963-819f-65da80192463

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/871037

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Drops PE files with a suspicious file extension

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c/

Threat name:

Win32.Trojan.Rasftuby

Status:

Malicious

First seen:

2021-10-15 04:24:24 UTC

AV detection:

21 of 45 (46.67%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=qw2yb7e4qkkweequkqsmrf2nqwyndmsbqvclhstjdmgaiaarpawa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2

AgentTesla

7d099dcd6d912e29120d1eca72f100724fa776e8a1f80b22fbb52e6de905d324

AgentTesla

940ad66c876976f4a05f12710687f5abb76443f693dd3986d1ff7a4c73fc866f

AgentTesla

a64c1b956bb79c5cfec594165a4ba37e9f695f8f83ec2b7bc2729d19c2598cd5

AgentTesla

a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183

AgentTesla

c8c67b9895ec2b463cc43a5c9c1e32363ff1a7a061c99d01dd3de5691e9d1d47

AgentTesla

ccca82e76f5e7fae5c3bcf6a5ff542f95ad241e2c47a00c969ddbf2f50beda25

AgentTesla

+ 12'892 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla collection keylogger spyware stealer trojan

Link:

https://tria.ge/reports/211015-kfas4sbdfq/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Enumerates physical storage devices

Suspicious use of SetThreadContext

Accesses Microsoft Outlook profiles

Loads dropped DLL

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

77423382a19c79240d424022aab0ab73483ba2ccaedfb31f5611320641c0818f

MD5 hash:

7073c465ae91f2fec1e3eeb86349841c

SHA1 hash:

7878f7b53c335025c043caee1a70fb8ab756b861

Link:

https://www.unpac.me/results/4aeee4d2-d5fd-4ad8-8f74-a8bbb24224fb/

SH256 hash:

85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c

MD5 hash:

bfeb5e335da4ef0f0b24c892aa0023e9

SHA1 hash:

6dc6427e57190cca2297aab5ace8d1438abec281

Link:

https://www.unpac.me/results/4aeee4d2-d5fd-4ad8-8f74-a8bbb24224fb/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/85b580fc9c82/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

exe 85b580fc9c82956212145424c8974d85b0d1b2418544b3ca691b0c040011782c

(this sample)

Dropped by

agenttesla

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/197714/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample