MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
SHA3-384 hash: 878c8388383bf8388ea2ff37f54952ab101340d416d06ae5da4572e353e65fb2b8018a94c1f96bbcd53ff955567d0e2e
SHA1 hash: f23f0dca5dec04e538246c69ee6635f0e0c62591
MD5 hash: d3bc29cf09e1a64461a29ac2fab29aef
humanhash: twelve-purple-five-white
File name:ITEMS_LIST.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:322'637 bytes
First seen:2021-03-04 06:21:14 UTC
Last seen:2021-03-04 06:23:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9f4693fc0c511135129493f2161d1e86 (250 x Neshta, 15 x Formbook, 14 x AgentTesla)
ssdeep 6144:k9mey4JlCjm+2biRxDtZUpryD2grg3o57DnHvOcvhjNp/tT8LxBjZh:Szr6Z8pWKI57zHvBHtWv
Threatray 2'974 similar samples on MalwareBazaar
TLSH A8641226F1E0C8B7E12647F9483FF37CFA32B910A06219D7ABE42C5969717875E0D246
Reporter fabjer
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
98
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
ITEMS_LIST.exe
Verdict:
Malicious activity
Analysis date:
2021-03-04 04:21:53 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/98d484ed-1943-40e2-905b-86e9a8b14198

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/122156/
Detection(s):
Win.Trojan.Neshuta-1
Create hunting rule

PUA.Win.Packer.Pequake-4
Create hunting rule

Sanesecurity.Rogue.0hr.20210304-0306.UNOFFICIAL
Create hunting rule

Win.Virus.Neshta-7101689-0
Create hunting rule

PUA.Win.Downloader.Soft32downloader-6691270-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Win.Trojan.Jadtre-5
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file in the %temp% subdirectories
Creating a process from a recently created file
Creating a file in the Windows directory
Creating a file
Creating a file in the %AppData% subdirectories
Modifying an executable file
Creating a file in the Program Files subdirectories
Launching a process
Sending a custom TCP request
Creating a window
Sending a UDP request
Using the Windows Management Instrumentation requests
Enabling autorun with the shell\open\command registry branches
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a system process
Infecting executable files
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla Neshta
Create hunting rule
Detection:
malicious
Classification:
spre.troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/628044
Signature
.NET source code contains very large array initializations
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Drops executable to a common third party application directory
Drops executables to the windows directory (C:\Windows) and starts them
Drops PE files with a suspicious file extension
Found malware configuration
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample is not signed and drops a device driver
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected Neshta
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 363006 Sample: ITEMS_LIST.exe Startdate: 04/03/2021 Architecture: WINDOWS Score: 100 68 Found malware configuration 2->68 70 Antivirus detection for dropped file 2->70 72 Antivirus / Scanner detection for submitted sample 2->72 74 8 other signatures 2->74 8 svchost.com 1 2->8         started        12 ITEMS_LIST.exe 4 2->12         started        14 svchost.com 2->14         started        process3 file4 44 C:\ProgramData\...\vcredist_x86.exe, PE32 8->44 dropped 46 C:\ProgramData\...\VC_redist.x64.exe, PE32 8->46 dropped 48 C:\ProgramData\...\vcredist_x64.exe, PE32 8->48 dropped 58 107 other malicious files 8->58 dropped 76 Sample is not signed and drops a device driver 8->76 78 Drops executable to a common third party application directory 8->78 80 Infects executable files (exe, dll, sys, html) 8->80 16 gsvvdrf.exe 11 8->16         started        50 C:\Windows\svchost.com, PE32 12->50 dropped 52 C:\Users\user\AppData\Local\...\DismHost.exe, PE32 12->52 dropped 54 C:\Users\user\AppData\Local\...\setup.exe, PE32 12->54 dropped 60 7 other malicious files 12->60 dropped 82 Creates an undocumented autostart registry key 12->82 84 Drops PE files with a suspicious file extension 12->84 20 ITEMS_LIST.exe 1 13 12->20         started        56 C:\Windows\directx.sys, ASCII 14->56 dropped 22 gsvvdrf.exe 11 14->22         started        signatures5 process6 file7 36 C:\Users\user\AppData\Local\...\ot62qpc.dll, PE32 16->36 dropped 24 MSBuild.exe 2 16->24         started        38 C:\Users\user\AppData\Roaming\...\gsvvdrf.exe, PE32 20->38 dropped 40 C:\Users\user\AppData\Local\...\ot62qpc.dll, PE32 20->40 dropped 64 Writes to foreign memory regions 20->64 66 Maps a DLL or memory area into another process 20->66 26 MSBuild.exe 2 20->26         started        42 C:\Users\user\AppData\Local\...\ot62qpc.dll, PE32 22->42 dropped 29 gsvvdrf.exe 22->29         started        32 MSBuild.exe 22->32         started        signatures8 process9 file10 86 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->86 88 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 26->88 62 C:\Users\user\AppData\Local\...\ot62qpc.dll, PE32 29->62 dropped 90 Writes to foreign memory regions 29->90 92 Maps a DLL or memory area into another process 29->92 34 MSBuild.exe 29->34         started        signatures11 process12
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc/
Threat name:
Win32.Virus.Neshta
Create hunting rule
Status:
Malicious
First seen:
2021-03-04 00:43:27 UTC
AV detection:
29 of 29 (100.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sthkcckw6q5irhehctdufsyq4v5ujem2axbmi4b5gei2zrowvl6a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
013066864283e4be87e7bd39b6e75ef40e98014377d520ffd213a8de2d59923f
AgentTesla
4ca088c72f30bf59a43b6da2570c84f03c9a85edceb49c4a5fc4075d67320e16
AgentTesla
50737e711d6a55fe1c6e2289526e2d970a263ab033d93015b52a9fd2e3c5df58
AgentTesla
569d9358801eb518b152cb73009131508a3f14b136b0eb80025ccf438865a440
AgentTesla
5952cc403a58eab272b199a6f39c35bfadf8feeafbadc1a3d30a68e01e93b7ae
AgentTesla
a65c812000900485065a8a2d13fed88aeb45077d8bd14424fe4a3a363e147e14
AgentTesla
c688354e137fcaca21a335e36a8bd8d72862cda728a5bb69c08350d499e9c9c5
AgentTesla
d5269c737f5691eab59bcc8c6ba21a4ad0244e37d87c2fae38543ad15aa6707f
AgentTesla
e640dcc83b88144d234670a8ce722aada3b3472ad0892e884c9d8b6cf460af1d
AgentTesla
e9bd86ab3129da3447a70bac66feb2f90f7829e5b4595cff15a31a45b1cf82f7
AgentTesla
+ 2'964 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210304-zemztf5a82/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
NSIS installer
Enumerates physical storage devices
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
AgentTesla Payload
AgentTesla
Modifies system executable filetype association
Unpacked files
SH256 hash:
94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc
MD5 hash:
d3bc29cf09e1a64461a29ac2fab29aef
SHA1 hash:
f23f0dca5dec04e538246c69ee6635f0e0c62591
Link:
https://www.unpac.me/results/6b695c01-f586-4a57-bad0-9cb57e570c7c/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
0.74
Link:
https://yomi.yoroi.company/submissions/94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

iso 7de5607a4d813b02830c68e50fcef26e5a647865d5ba65e4a2fa6b57b940c038

AgentTesla

Executable exe 94cea10956f43a889c8714c742cb10e57b44919a05c2c4703d3111acc5d6aafc

(this sample)

  
Dropped by
SHA256 7de5607a4d813b02830c68e50fcef26e5a647865d5ba65e4a2fa6b57b940c038
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/122156/

Comments