MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 5


Intelligence 5 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a
SHA3-384 hash: 76ecf8fcdb6e70278056dd23f1c84cb943b9845c05dae0614dcee3dbad4775562d1c8a46b70c6937616e5217d96e4d39
SHA1 hash: 5133db8715914a238b6ee49db1509e125ac74d8e
MD5 hash: 853a5e9e2f33422a1ae20541fa072ab4
humanhash: bulldog-neptune-april-mars
File name:SOA.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:4'270'080 bytes
First seen:2020-10-23 07:01:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 49152:kv4/k7G6huFteGdREfaZEzlb1JVj6DmQqEiaKd91g1Xtzz8w+HEsFF1eSkUKQRHU:kqIiZkFBjcEGow+JF1bXTj52fPL6i
Threatray 27 similar samples on MalwareBazaar
TLSH 1F1622027259EB02E1BD67F0D05418F15BF52C2AD8A9E25F4DA37DEE35B1F004A46B2B
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: stock.ovh
Sending IP: 51.178.87.221
From: wilsonlee <wilsonlee@ogcf-eng.com>
Subject: RE: SOA JUN-OCT. 2020
Attachment: SOA.rar (contains "SOA.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/74965/
Detection(s):
SecuriteInfo.com.Trojan.Siggen10.41605.8980.611.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Creating a file in the %AppData% directory
Creating a file in the %temp% directory
Launching a process
Creating a process with a hidden window
Deleting a recently created file
Creating a file
Forced shutdown of a system process
Blocking the User Account Control
Enabling autorun by creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
80 / 100
Link:
https://www.joesandbox.com/analysis/507869
Signature
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 303062 Sample: SOA.exe Startdate: 23/10/2020 Architecture: WINDOWS Score: 80 24 Sigma detected: Scheduled temp file as task from temp location 2->24 26 Yara detected AgentTesla 2->26 28 Yara detected AntiVM_3 2->28 30 4 other signatures 2->30 7 SOA.exe 4 2->7         started        process3 file4 18 C:\Users\user\AppData\...\rtGvzhoNstK.exe, PE32 7->18 dropped 20 C:\Users\user\AppData\Local\...\tmp2BD7.tmp, XML 7->20 dropped 22 C:\Users\user\AppData\Local\...\SOA.exe.log, ASCII 7->22 dropped 10 schtasks.exe 1 7->10         started        12 RegSvcs.exe 1 7->12         started        14 RegSvcs.exe 7->14         started        process5 process6 16 conhost.exe 10->16         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-23 06:34:42 UTC
AV detection:
19 of 29 (65.52%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=smxuih2ixakbqvkzk5yocnpeqnkwsvdumgztp7vgpjuv6m7b4zna._file
Verdict:
unknown
Similar samples:
2e1f23f4c8536a0f803f8d9f54e5d5c67a99aa2b0c44031d4ed743acd6003887
AgentTesla
3afb9252d528d667bbdf62a3e7a235615ad0814911ca4690505822cbda24c380
AgentTesla
46c3ab59682596a8e030fb0bad3d31c59e502f68b9f3c112309edd82d27513c3
AgentTesla
7538931bad1762c44d0d66ea730a3ca6c5acb18d326f3a2f5bffa1f81864354e
AgentTesla
8c288fd70a35727c16e668d49e1e28964d36a67804e09be663bca9a9ceaeacb4
AgentTesla
9254d3364f3dc1faec6f4f624e1c74f14ddfad19300eca7eb18a4a1a15cf4d98
AgentTesla
ade5a7d8aab5f80cf5b8b97c2bdf22922ef7fafa749b2eb7f1655b0349886196
AgentTesla
b7adf1bb5628fd6ec0905e0d3f32c20c39f401ce845f73e15ce867aca4a531fd
AgentTesla
d03792e976baeea6547686ff0fe4ced755f9bad76ee6e3ff3c5f4adf93cbb0f8
AgentTesla
fbe762c8c464730d016cd2ef76955fe726f74abd031cea612d6a08bce2383a3e
AgentTesla
+ 17 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan
Link:
https://tria.ge/reports/201023-pzttkyeksn/
Behaviour
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetThreadContext
UAC bypass
Unpacked files
SH256 hash:
932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a
MD5 hash:
853a5e9e2f33422a1ae20541fa072ab4
SHA1 hash:
5133db8715914a238b6ee49db1509e125ac74d8e
Link:
https://www.unpac.me/results/7dba858d-c4dd-4feb-b2fc-4a309e05f672/
SH256 hash:
4e97a7e6544f4e4d75652b7812376dda06274c21ad94e67b2ba912d49927dd5a
MD5 hash:
2bad87d1bb6c9804705c81b56731aa43
SHA1 hash:
303f30103acdff64c7b6343fe08259775fde776d
Link:
https://www.unpac.me/results/7dba858d-c4dd-4feb-b2fc-4a309e05f672/
SH256 hash:
c1770c6bbddc5e7f03cb0eab4a736bc26892c4d6c6fa2afed79440b5d3b7bcb3
MD5 hash:
3e05f89496a6fe16a98d6bcc75858329
SHA1 hash:
074667f3cf2074eaaaab00a5024b82a1a3524730
Link:
https://www.unpac.me/results/7dba858d-c4dd-4feb-b2fc-4a309e05f672/
SH256 hash:
31ce938626ccfb399fe1696710caf46d7ae9eb598b9d7d2aad719b594658469b
MD5 hash:
0aebe46040ceb011e78506d4985fe3de
SHA1 hash:
218ac1e7b14a66c604ec3042f8486bed9cd4c2c1
Link:
https://www.unpac.me/results/7dba858d-c4dd-4feb-b2fc-4a309e05f672/
SH256 hash:
03b33dc314e4e48df7f4268c06da860e4f9e2a6440d22c05a5ffe40b10b7b54e
MD5 hash:
e539377f7742afed7dcc4aa5cc4f1691
SHA1 hash:
ce34e5376247792e764b9e57fab51e4df6854997
Link:
https://www.unpac.me/results/7dba858d-c4dd-4feb-b2fc-4a309e05f672/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar 7dcb39db5933136e8b20061a7c2428ab677e4f5e988c766214806e4e60793c89

AgentTesla

Executable exe 932f441f48b8141855595770e135e4835569547461b337fea67a695f33e1e65a

(this sample)

  
Dropped by
MD5 4aaf1bf66d367d18dd33bdcc019e932a
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/74965/
  
Dropped by
SHA256 7dcb39db5933136e8b20061a7c2428ab677e4f5e988c766214806e4e60793c89

Comments