MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA File information Comments

SHA256 hash:	944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16
SHA3-384 hash:	e87bf7174c3d7f6127f3047c4279d56d5ce58f59a6f242e6642efdcb1d69fe4c1ff3c66bc9153311798a52c97b603164
SHA1 hash:	70a68bdf6ccde6b60604d923043893448ac44f02
MD5 hash:	447a03ebc9cf49088d63a74a3f8f62cd
humanhash:	artist-oranges-river-failed
File name:	roomitinerary .cmd
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	5'205'816 bytes
First seen:	2021-01-12 18:00:02 UTC
Last seen:	2021-01-12 19:49:13 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'747 x AgentTesla, 19'642 x Formbook, 12'245 x SnakeKeylogger)
ssdeep	6144:ZeY2nKCy0QyeITet9eC17Q/zAwQ+wLsSQImGqR58ETiLhcYKfQR4heq9KJDYb+b3:Ze7nKBDwBNVhv
Threatray	70 similar samples on MalwareBazaar
TLSH	B636F4B56FEB28B66035235E1422EF8D5C7ECF302485AAB2D35DC85B4607D076DA2E34
Reporter	abuse_ch
Tags:	AgentTesla cmd

abuse_ch

Malspam distributing AgentTesla:

HELO: secure.zrl.com.zm
Sending IP: 216.194.164.118
From: Heather Perry <heathere@adgentesmission.org>
Subject: Reservations
Attachment: roomitinerary .iso (contains "roomitinerary .cmd")

AgentTesla SMTP exfil server:
mail.royalhotelapartmentet.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

167

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

roomitinerary .cmd

Verdict:

Malicious activity

Analysis date:

2021-01-12 19:04:55 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/30d343f2-693d-4e3e-931a-468bcca070d9

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/111567/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.500.20176.15741.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Sending a UDP request

Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch

Moving of the original file

Enabling autorun by creating a file

Enabling autorun

Result

Threat name:

Unknown

Detection:

malicious

Classification:

adwa.evad

Score:

92 / 100

Link:

https://www.joesandbox.com/analysis/579429

Signature

Creates an undocumented autostart registry key

Creates autostart registry keys with suspicious names

Creates multiple autostart registry keys

Drops PE files to the startup folder

Machine Learning detection for dropped file

Machine Learning detection for sample

Moves itself to temp directory

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16/

Threat name:

ByteCode-MSIL.Trojan.Wacatac

Status:

Malicious

First seen:

2021-01-12 18:00:14 UTC

AV detection:

9 of 28 (32.14%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=srhkngt23773mav5vrlfkyjy57aqj5xl5ktlzelb5lcfkhvi7mla._file

Verdict:

unknown

AgentTesla

09a2e4f8534369466eba713828653e44916f2307420fc47306b1b9cfff181e2c

AgentTesla

52bbd5f868a0a36d7f3ef1d675a8553414cf5057bf2b99b871fec5bcf0720122

AgentTesla

6f96c1cc562c104cb339f346411c7b983c42ccded781115e1de67d645df9a00a

AgentTesla

8daa3b16b15dd52ffb99eb0644b52712d889fe9528f8633dd16b4b405b017130

AgentTesla

ab5ea57fdd5bfa91a11db4d85f99a84e342ead177da5744dff012398d153f4ba

AgentTesla

b657538bf8bc1aca7ca8e7e02f1c5a39cbc8bc343bf7c5ebfe026f6dcc02fe32

AgentTesla

bd316cf33a3964eefab384927f84493c2f1d524660a854f18b1e166e8b93566f

AgentTesla

c39bdd8f7c69c3140ef920e2b1d5965310058c5fa425b871f4d7751d8291d55e

AgentTesla

facf1bd37fa739f82bc10a7a6e7436b4871af89e3c8389270673e2dbb76200e4

AgentTesla

+ 60 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger persistence spyware stealer trojan

Link:

https://tria.ge/reports/210112-lkklcxywss/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Adds Run key to start application

Drops startup file

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Modifies WinLogon for persistence

Unpacked files

SH256 hash:

a1f08a850241d47f10610d7b420750b4a1c4d59b71480a4c71f4f06208bcc54d

MD5 hash:

d1ee55c246818820c44e367b6f91c553

SHA1 hash:

3d9c110514ada64c13bb99853847f6e609318072

Link:

https://www.unpac.me/results/a9c6102c-7f51-4e12-ab2d-359f96a61d11/

SH256 hash:

d914406bc4f2d9045c5ace5b21ab3b5483ec3f4a266bf8ea5b4798b72ff01262

MD5 hash:

8d2c627f464a17904446c9ade53a68d5

SHA1 hash:

44327e6192be5ecfe1275bf8ca644b0baf5c0b82

Link:

https://www.unpac.me/results/a9c6102c-7f51-4e12-ab2d-359f96a61d11/

SH256 hash:

944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16

MD5 hash:

447a03ebc9cf49088d63a74a3f8f62cd

SHA1 hash:

70a68bdf6ccde6b60604d923043893448ac44f02

Link:

https://www.unpac.me/results/a9c6102c-7f51-4e12-ab2d-359f96a61d11/

SH256 hash:

76e58a102c59e0f35c2bd33e83f2ea5642ae412461371c367f386cbf55bf1f10

MD5 hash:

eb580c211dcd5e53ad1247c1aea2efaf

SHA1 hash:

9d8028612d00337b3d86a9bb8229f256c7c58f61

Link:

https://www.unpac.me/results/a9c6102c-7f51-4e12-ab2d-359f96a61d11/

SH256 hash:

547320221e3f70659d129ad6faa8f04a898265ab00fcd3da1c0ffb9d577ce7e6

MD5 hash:

2217887599d087f4e95f41ae9023b993

SHA1 hash:

b0f3a01f721f63aafcee8695e99076415912d982

Link:

https://www.unpac.me/results/a9c6102c-7f51-4e12-ab2d-359f96a61d11/

SH256 hash:

9f39b313160b963f1e8ab0cbe7532d76562543b511011aec1b4672bf5c57e301

MD5 hash:

dd111674f06ed4715f321d7e2dc7ed89

SHA1 hash:

f808d058b3841aabcde7dc1a8ad8100010b40b41

Link:

https://www.unpac.me/results/a9c6102c-7f51-4e12-ab2d-359f96a61d11/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Suspicious File

Score:

0.65

Link:

https://yomi.yoroi.company/submissions/944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 9ad52a3f07d6f5670c3f1f7d574dd507bfc50370adf9bd4f66eb16b155cd6916

AgentTesla

exe 944ea69a7adfffb602bdac56556138efc104f6ebeaa6bc9161eac4551ea8fb16

(this sample)

Dropped by

MD5 9529f4c1f7eb8fc16eb47d1661ade651

Delivery method

Distributed via e-mail attachment

Dropped by

SHA256 9ad52a3f07d6f5670c3f1f7d574dd507bfc50370adf9bd4f66eb16b155cd6916

Cape

https://www.capesandbox.com/analysis/111567/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample