MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 94d0cc8135e174d98196284aca5cbcf3d5ebb0ecfa9c223ccc287ad21545b8e9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 94d0cc8135e174d98196284aca5cbcf3d5ebb0ecfa9c223ccc287ad21545b8e9
SHA3-384 hash: c852fba671371313578018aa0d704d6bc0009e5ed2956ceb24eb4c7d31b5b560a6d84f5f97fdc300fda1829f21881f10
SHA1 hash: c699a7345844f03f60a8b539d35548dc323b3184
MD5 hash: 554337a579693274560aa9fed200ba0c
humanhash: kentucky-paris-bravo-fourteen
File name:PAYMENT02U8W627728.scr
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'266'688 bytes
First seen:2020-12-18 06:48:48 UTC
Last seen:2020-12-18 10:04:35 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 24576:+2oHL5pI7+xTOCluu5IBcYn1ITx1ZBUJ+W6kkveyyy:oxT5uWIW26L++Wmv
Threatray 1'885 similar samples on MalwareBazaar
TLSH 8E45BF207FE96715F03FABB466D9604987FEB223E706E95A3CA103C64622F45CD81637
Reporter cocaman
Tags:AgentTesla scr

Intelligence

File Origin
# of uploads :
3
# of downloads :
110
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PAYMENT02U8W627728.scr
Verdict:
Malicious activity
Analysis date:
2020-12-18 06:49:30 UTC
Tags:
trojan rat agenttesla opendir
Link:
https://app.any.run/tasks/0d666ec5-d21a-4b08-9858-872bf7eda93f

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/108407/
Detection(s):
SecuriteInfo.com.Artemis.8824.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Unauthorized injection to a recently created process
Creating a file
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/565968
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/94d0cc8135e174d98196284aca5cbcf3d5ebb0ecfa9c223ccc287ad21545b8e9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-18 02:55:57 UTC
File Type:
PE (.Net Exe)
Extracted files:
30
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=stimzajv4f2ntamwfbfmuxf46pk6xmhm7kocepgmfb5nefkfxduq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
164194c08dd53211cac7f964486f2dfbd9c1c8b4ccf980288d043f3544c7637e
AgentTesla
2b08660c05385174828189e7d4386af6e82dad631bf33a3ac6b75b1ee2928b51
AgentTesla
2d2996c0344c2ed157f9affb6468c803dc196b519574c945c8fe40e445418030
AgentTesla
7b7f6b3a38933a9d06d6315b89df48c695b7ee7e35725649572a4abd17c3496c
AgentTesla
8a3c02f3f221e3874e057b7a98a43560d291f886f4b5351051f2876bc2f8c4e6
AgentTesla
95eaed904a48a580a9ba80eb8193b178f08b3da26d830b7a8b2fa8f5e3b5186e
AgentTesla
9634cf79c1254f6eb68967cc89267c50513f9df930c15bdcc77bbd1fa1b5add6
AgentTesla
96b93e42d633a412f50572331b8b866baf01a3a14bf1f8fadb2d7d9644febaf3
AgentTesla
a51bd84d3facb55aaa7d351f79a6383f50b362c48a7abf373675aedd13aa9770
AgentTesla
d13d830852f0979e5bdc92510044a36622047ff26d660c70783e96dde3e50bad
AgentTesla
+ 1'875 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/201218-8a7dsytakn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
94d0cc8135e174d98196284aca5cbcf3d5ebb0ecfa9c223ccc287ad21545b8e9
MD5 hash:
554337a579693274560aa9fed200ba0c
SHA1 hash:
c699a7345844f03f60a8b539d35548dc323b3184
Link:
https://www.unpac.me/results/592206d9-d8dc-417e-82c6-fe136131d912/
SH256 hash:
30a231f2d4209c94ce69adc56bd23482b8cdb883ee47d059631e3e7746f2b48f
MD5 hash:
f03c4fed697ddb6824a6136f455c4c2e
SHA1 hash:
35c3049c6d1790a3d6590c1b1f857b4be97a48f0
Link:
https://www.unpac.me/results/592206d9-d8dc-417e-82c6-fe136131d912/
SH256 hash:
55abf08a6a6ab7c7848a2bc0410d84befe6dcfa118336e2e4f1ee456a8009efc
MD5 hash:
6ce9761c3c3ae715d40a77b982d31dc9
SHA1 hash:
42a5a02eabe7d80d79408549e7686d4e44524361
Link:
https://www.unpac.me/results/592206d9-d8dc-417e-82c6-fe136131d912/
SH256 hash:
1f038661cd62ecc0a93e94bc5bbdb91b049881a26f86b5baf7067f2337077e89
MD5 hash:
2584c26c6022377ca309929fb0f72e11
SHA1 hash:
76b967e11d41df4752dbdcc6f697c769c8d614a9
Link:
https://www.unpac.me/results/592206d9-d8dc-417e-82c6-fe136131d912/
SH256 hash:
1a50956093a0a9baea13f2e609bfd69676bbbd6d39bc58130a179bdca4391ebb
MD5 hash:
9067b0802659cc1d6bd2395a5bb3b97b
SHA1 hash:
d8b3d8822dc08eb65b5eddcbb7bbf8f50987ea11
Link:
https://www.unpac.me/results/592206d9-d8dc-417e-82c6-fe136131d912/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/94d0cc8135e174d98196284aca5cbcf3d5ebb0ecfa9c223ccc287ad21545b8e9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekshen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 581540f667a937dad9bd5f934ad55e5ee883d8c37fce01ea738e0c05221ce5eb

AgentTesla

Executable exe 94d0cc8135e174d98196284aca5cbcf3d5ebb0ecfa9c223ccc287ad21545b8e9

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 581540f667a937dad9bd5f934ad55e5ee883d8c37fce01ea738e0c05221ce5eb
Cape
Cape
https://www.capesandbox.com/analysis/108407/

Comments