MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd
SHA3-384 hash: 93c7ce2b00051be072bcb60e7da3a2f423eba2c7b61bcb49d90963b21a048bf775936136c1b1fcee5a082572110ea465
SHA1 hash: 80431ad2d448453a39d22ca3d46ae46b53a529c3
MD5 hash: a38d00d48e48bb7d20d4d18725706dc8
humanhash: river-december-failed-steak
File name:PEDIDOS C19015-7267 Y C19020-7266.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:230'400 bytes
First seen:2020-10-21 10:09:29 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:kPpRJuWbmGvWo67CbXwqvexuRHIXqr//hY2jKR:2bmGv9baxuRHIUhYyK
Threatray 25 similar samples on MalwareBazaar
TLSH 59343A01CE5BDD76FC887BF6F8259BEE9B3588281D13F75A02E609889F1D3C408571A6
Reporter abuse_ch
Tags:AgentTesla exe Telegram


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: limon.medyabim.com
Sending IP: 93.89.20.47
From: Santiago Perez <santiago.perez@salico.net>
Subject: RV: PEDIDOS C19015-7267 Y C19020-7268
Attachment: PEDIDOS C19015-7267 Y C19020-7266.img (contains "PEDIDOS C19015-7267 Y C19020-7266.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
81
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74000/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a file in the %AppData% subdirectories
Launching a process
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
88 / 100
Link:
https://www.joesandbox.com/analysis/505646
Signature
Adds a directory exclusion to Windows Defender
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 301879 Sample: PEDIDOS C19015-7267 Y C1902... Startdate: 21/10/2020 Architecture: WINDOWS Score: 88 23 Multi AV Scanner detection for dropped file 2->23 25 Multi AV Scanner detection for submitted file 2->25 27 Yara detected AgentTesla 2->27 29 6 other signatures 2->29 7 PEDIDOS C19015-7267 Y C19020-7266.exe 1 5 2->7         started        11 Chrorne.exe 2 2->11         started        13 Chrorne.exe 2->13         started        process3 file4 19 C:\Users\user\AppData\Roaming\...\Chrorne.exe, PE32 7->19 dropped 21 C:\Users\user\...\Chrorne.exe:Zone.Identifier, ASCII 7->21 dropped 31 Adds a directory exclusion to Windows Defender 7->31 15 powershell.exe 25 7->15         started        signatures5 process6 process7 17 conhost.exe 15->17         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-21 09:15:53 UTC
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=rkktqqlctyasfycnfognkzbcveerse47luan6xyaxachklhfdhgq._file
Verdict:
unknown
Similar samples:
06b7205ba6898b1f45883d5a313c1e3e39d8c226eec0ae289f42106af070e8db
AgentTesla
2e4775c5d181f37f4a0802a9982601352f0a7de1ffd74909024150572ed6522b
AgentTesla
5b832740ae1f2a5c2c10e37aadd6d0b74d647a9ff853f091a2262ef0ae2c672c
AgentTesla
670d2b752c68da68cdfd9d1b2f5a2f994509e563cc7ca3f1049d5503b8f48369
AgentTesla
7c7ea2d4161707e247fe758ddb23f293a31affbc68820fccbe8417daa0507242
AgentTesla
b4267cab9e3e8255b44e1947b4c6bb40901d9f0654c2d0ab40690851fcacf16c
AgentTesla
d8f37e199f10881b2045823553fd64f3f52ec616e24f2235a47dae7c435a3c72
AgentTesla
e69d8cb762149ef5d9cbc14ba3b4c1a48395c5261f9c404608a37c1807f1e19e
AgentTesla
ed184e1c76f982d9537a281ac7cc805179e72d9ca538e7ff202e7be38bfee6ae
AgentTesla
f542321c002730c6da48e824a8cce1210ea130d4d9809e713fb493b15df6b4c0
AgentTesla
+ 15 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
persistence spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201021-1kykfq3thn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Adds Run key to start application
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd
MD5 hash:
a38d00d48e48bb7d20d4d18725706dc8
SHA1 hash:
80431ad2d448453a39d22ca3d46ae46b53a529c3
Link:
https://www.unpac.me/results/2bb5884b-542a-4337-a23e-2527710a4bfb/
SH256 hash:
5ef2068a6ab5d7cdc1fc7098113474a4505a5ed49278183261cffb198895920d
MD5 hash:
0b73b9246dd0c51afd56967bd96d782e
SHA1 hash:
3ba01f38ee1a9e729b3ce66c768db4ddd5260288
Link:
https://www.unpac.me/results/2bb5884b-542a-4337-a23e-2527710a4bfb/
SH256 hash:
9273c8a680fbae6e87a99a68cedb27f555014d223307ae576121dfd571bf4d2b
MD5 hash:
d7690f73a7ece66534b5955b1550d46d
SHA1 hash:
f7657101e3299d1e7a367367889a99f47e4027e2
Link:
https://www.unpac.me/results/2bb5884b-542a-4337-a23e-2527710a4bfb/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 54dfd41402b28ce156b99cf2675e10b78ccebe3bdbae67073ebb24fb71b08299

AgentTesla

Executable exe 8a953841629e0122e04d2b8cd56422a90919139f5d00df5f00b804752ce519cd

(this sample)

  
Dropped by
MD5 a84fe3882a6d15652dde4916eacd657b
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 54dfd41402b28ce156b99cf2675e10b78ccebe3bdbae67073ebb24fb71b08299
Cape
Cape
https://www.capesandbox.com/analysis/74000/

Comments