MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08
SHA3-384 hash: b015e43e9540631f19a7fdac9b11ca845f48d31774277961aa3a0b771daf5ae15adaec1afed8ee7be3adc7a97d87f8d8
SHA1 hash: deaa4de8354cb139a85e8d95897327d9646f577f
MD5 hash: 3b69d0e958c913caa6eefe2feb3d605a
humanhash: king-hamper-hotel-mississippi
File name:PO12172020.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:56'272 bytes
First seen:2020-12-17 08:41:36 UTC
Last seen:2020-12-17 10:29:56 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'658 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 768:rdDpPCWhN8NsZtbyHtLsIiCrbDgMa66i0LamROuUf2h4c/:rdlL5qtn7rbDTl6DLahuUfg/
Threatray 1'863 similar samples on MalwareBazaar
TLSH F6430FD1AEF8865FC42EB33D16E93002BFB60D646A35CB5A5631356229D33845FDE80E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: DS7920017.clientshostname.com
Sending IP: 185.180.198.68
From: Cyprus Sasnauskas <info@sales-z.net>
Subject: PO12142020
Attachment: PO12172020.zip (contains "PO12172020.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO12172020.exe
Verdict:
Malicious activity
Analysis date:
2020-12-17 09:39:44 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/6b3d7a53-59a6-4950-88f4-0dc75c81f1a8

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Trojan.DownloaderNET.106.19302.10248.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Running batch commands
Creating a process with a hidden window
Launching a process
DNS request
Sending a custom TCP request
Unauthorized injection to a recently created process
Creating a file
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Sending a TCP request to an infection source
Adding exclusions to Windows Defender
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565111
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Connects to a pastebin service (likely for C&C)
Creates an undocumented autostart registry key
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the startup folder
Injects a PE file into a foreign processes
Multi AV Scanner detection for submitted file
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell adding suspicious path to exclusion list
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 331641 Sample: PO12172020.exe Startdate: 17/12/2020 Architecture: WINDOWS Score: 100 69 pastebin.com 2->69 71 hastebin.com 2->71 83 Sigma detected: Powershell adding suspicious path to exclusion list 2->83 85 Multi AV Scanner detection for submitted file 2->85 87 Yara detected AgentTesla 2->87 89 4 other signatures 2->89 9 PO12172020.exe 20 5 2->9         started        14 PO12172020.exe 2->14         started        16 PO12172020.exe 2->16         started        18 PO12172020.exe 2->18         started        signatures3 process4 dnsIp5 79 pastebin.com 104.23.99.190, 443, 49720, 49727 CLOUDFLARENETUS United States 9->79 81 hastebin.com 104.24.127.89, 443, 49719, 49723 CLOUDFLARENETUS United States 9->81 67 C:\Users\user\AppData\...\PO12172020.exe.log, ASCII 9->67 dropped 99 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 9->99 101 Drops PE files to the startup folder 9->101 103 Adds a directory exclusion to Windows Defender 9->103 20 PO12172020.exe 4 6 9->20         started        25 cmd.exe 1 9->25         started        27 powershell.exe 24 9->27         started        105 Injects a PE file into a foreign processes 14->105 29 cmd.exe 14->29         started        31 cmd.exe 16->31         started        file6 signatures7 process8 dnsIp9 73 192.168.2.1 unknown unknown 20->73 75 pastebin.com 20->75 77 hastebin.com 20->77 63 C:\Users\user\AppData\...\PO12172020.exe, PE32 20->63 dropped 65 C:\Users\...\PO12172020.exe:Zone.Identifier, ASCII 20->65 dropped 91 Creates an undocumented autostart registry key 20->91 93 Creates autostart registry keys with suspicious names 20->93 95 Creates multiple autostart registry keys 20->95 97 2 other signatures 20->97 33 cmd.exe 1 20->33         started        35 powershell.exe 20->35         started        37 powershell.exe 20->37         started        47 3 other processes 20->47 39 conhost.exe 25->39         started        41 timeout.exe 1 25->41         started        43 conhost.exe 27->43         started        49 2 other processes 29->49 45 conhost.exe 31->45         started        file10 signatures11 process12 process13 51 conhost.exe 33->51         started        53 timeout.exe 33->53         started        55 conhost.exe 35->55         started        57 conhost.exe 37->57         started        59 conhost.exe 47->59         started        61 conhost.exe 47->61         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2020-12-17 05:03:15 UTC
AV detection:
20 of 28 (71.43%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=spzjbtd5dlo7k63so45bfmyhxjkzrqeggooro3m2estedj7gtuea._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
25c6ed88a34e97a0d1c4c8fa3d2c90a6b39345a56f0dbf5775bb2e4d2320415f
AgentTesla
567e0aa34b26e04924a723b478d32771494b759419e40f00b919167af194c039
AgentTesla
916a77f4d125bcced72fc073a62d5dea68cedef38cc97817625ae2dc0144f6fa
AgentTesla
a261898485667823b47ab6885b0cd8c16d126bc0f1671dd7aeb9b675aa01aff0
AgentTesla
af1ce5c2a758843b6812b25d3f7646fe186575c7b06510cf8fdbcbe1f827c0c9
AgentTesla
ba3548566c5eda9447bd910346549f92ecc5cd51f959f51cc7bc836a2ce49501
AgentTesla
c8a8b43ec47c6c9831e275e2009ab58f7794374b4876fe72dbc4151296330aec
AgentTesla
db0a298a1d51893aaeca574e5fff17cbfa6b83ea8538fc0e6c7a0bc97ca8a198
AgentTesla
f06c40df7dde44469aa47985010736dbd83224df91951b9d55cdb7a377353a61
AgentTesla
feac2864dd0dde4d9fa58c93930c21c8a0786de9f1260e742b61447c826f7fb9
AgentTesla
+ 1'853 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion persistence spyware trojan
Link:
https://tria.ge/reports/201217-4vcgm3m3ba/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Maps connected drives based on registry
Checks BIOS information in registry
Drops startup file
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
Modifies WinLogon for persistence
Modifies Windows Defender Real-time Protection settings
Windows security bypass
Turns off Windows Defender SpyNet reporting
Unpacked files
SH256 hash:
93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08
MD5 hash:
3b69d0e958c913caa6eefe2feb3d605a
SHA1 hash:
deaa4de8354cb139a85e8d95897327d9646f577f
Link:
https://www.unpac.me/results/e4e9f544-71ba-45ee-a08a-390faab8584f/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Legit
Score:
0.00
Link:
https://yomi.yoroi.company/submissions/93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip c4c6c9062c10fd884ec1c31968c3624144f3a9af397164e8696f38c0c14625df

AgentTesla

Executable exe 93f290cc7d1addf57b72773a12b307ba5598c086339d176d9a24a641a7e69d08

(this sample)

  
Dropped by
MD5 3a2a7539edcb67cb40f5d56bf5d57d92
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 c4c6c9062c10fd884ec1c31968c3624144f3a9af397164e8696f38c0c14625df

Comments