MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 85de0c82130ef148deeac89060ea69f4e9e61898361b6f1659c36e94f5dc443b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 2 File information Comments

SHA256 hash:	85de0c82130ef148deeac89060ea69f4e9e61898361b6f1659c36e94f5dc443b
SHA3-384 hash:	464185b9dcc02ca93e4e5d2701ef6abc9af032e9fc8b472428280b7fc43c7d1789e5e83bc5e367c4a966dfe25e811397
SHA1 hash:	acd233d51b73b5f0ee0bd2ee520e8cb8f0ac1444
MD5 hash:	adaaa493e6fef5c060644d3b48a26307
humanhash:	kilo-lithium-tennessee-early
File name:	PaymentDetails.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	646'144 bytes
First seen:	2021-06-22 14:47:23 UTC
Last seen:	2021-06-22 16:01:43 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'606 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:O6e550+TfR82zhXd8UDG6qdmxRIdbzIvN+GsiUSKbkNvXXa2wT++bTV6YNRWR51l:O6Yd8aNKUDbqdmxRIpIIRb+
Threatray	6'042 similar samples on MalwareBazaar
TLSH	1DD46B9C369071EFC56BCD76DEA82C64EA207477930BD207A013029D9E0E99BDF255F2
Reporter	Anonymous
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

139

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PaymentDetails.exe

Verdict:

Malicious activity

Analysis date:

2021-06-22 14:51:07 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/c1883e6e-5b27-4e88-a604-d85bb3c375d4

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/167629/

Detection(s):

SecuriteInfo.com.Variant.Bulz.529162.10384.7002.UNOFFICIAL

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/c9d79847-e4d8-4ae1-a235-c1c4090903ef

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/806072

Signature

Detected unpacking (changes PE section rights)

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/85de0c82130ef148deeac89060ea69f4e9e61898361b6f1659c36e94f5dc443b/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-06-22 14:48:14 UTC

AV detection:

17 of 46 (36.96%)

Threat level:

5/5

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

2357a2cad3fa915263036c5d9de8e77927115db4f07f90934d2335dda3bf22ee

AgentTesla

640857d027059d3b44417bc66b120b8c0841d7d7a072aa458b4be41a9e58b92e

AgentTesla

8417cc20eae7fc71ae18567c9c78d821ec967c11b3359b57721288b7ea67f40a

AgentTesla

8a0d96c6ab22bc62611c7cad581ca536d766063570117e0ddb1747828b5afc96

AgentTesla

c345fbabcb3e55e64341e860bb2916ba52ddea44257d8fa5b79f2ae7062734c8

AgentTesla

c9af30b2a800c774844eee76e019d10b72c4637adbccd34a6de3bcc8a4f32ba4

AgentTesla

dc7425b3b801c9b4b84bbf1beb398893b8bd2cdcd4efdb97a54f7124f733e3e6

AgentTesla

e30e9ec11818e069b23a74a0a47d0a2b91c19556e2851a79c033c2ef0b680974

AgentTesla

e5ea618e1c51b6f724e1527d81465fb53693449199b768bacc62d0caca5c1fbc

AgentTesla

+ 6'032 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210622-yve27qg5bs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

17be53224e365b00405f76415f74d695e9076b67caf90ce4ae5fa1b74a01e648

MD5 hash:

b5d0a5105bb4f485bc8c27c252153ff6

SHA1 hash:

a441ea55a9b7a25e111fd628e7b20682df467212

Link:

https://www.unpac.me/results/957b7bd7-47e0-4eb2-a576-acbe6ac0df73/

SH256 hash:

0e98b32a5ceb3cd2a16d552b59e80b1da6117e11e779b1ae11497cd4163f0545

MD5 hash:

e982aea16737e32d01cba24c2a55c855

SHA1 hash:

6c24b9be9d5ea1b9769dcd9fb62e69f4a92eefe9

Link:

https://www.unpac.me/results/957b7bd7-47e0-4eb2-a576-acbe6ac0df73/

SH256 hash:

5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6

MD5 hash:

072eeac61b35d3f09edee4ff4f80f52d

SHA1 hash:

696fd9905a47e526470c2e234fef32f1ec1b74ad

Link:

https://www.unpac.me/results/957b7bd7-47e0-4eb2-a576-acbe6ac0df73/

SH256 hash:

85de0c82130ef148deeac89060ea69f4e9e61898361b6f1659c36e94f5dc443b

MD5 hash:

adaaa493e6fef5c060644d3b48a26307

SHA1 hash:

acd233d51b73b5f0ee0bd2ee520e8cb8f0ac1444

Link:

https://www.unpac.me/results/957b7bd7-47e0-4eb2-a576-acbe6ac0df73/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/85de0c82130ef148deeac89060ea69f4e9e61898361b6f1659c36e94f5dc443b

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Distributed via e-mail link

Cape

https://www.capesandbox.com/analysis/167629/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample