MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 954bbd9e612117e2fa3f8c71e72ca98461f7ec20fc028d9910f8629cd170ec2b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 6

Intelligence 6 IOCs YARA File information Comments

SHA256 hash:	954bbd9e612117e2fa3f8c71e72ca98461f7ec20fc028d9910f8629cd170ec2b
SHA3-384 hash:	0f8ced3930e1bc0e5d46ce61e79c019b7b968c5cbdcfda7f8869a0356dc92fdca91dd33d08c737d02c4b2c8af514116b
SHA1 hash:	2929309853d9c0dc36de86c88c92cd4af6fb56e5
MD5 hash:	4359be59a0835b7e548eaf0095515710
humanhash:	fix-thirteen-pizza-kentucky
File name:	0489-Rashid-1000, 1250 & 2000 kVA - Cummins.pdf.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	375'296 bytes
First seen:	2020-09-17 05:12:30 UTC
Last seen:	2020-09-17 06:04:22 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'451 x Formbook, 12'201 x SnakeKeylogger)
ssdeep	6144:j0Sxpig6daiXufpZ+fOGeTscz+6O84XUl9MTsTGJcaAmob86XJ0uduWiT26Op:Xx7iXuf3+fOzsC+X8z0Py86+ap
Threatray	49 similar samples on MalwareBazaar
TLSH	5D84223917BD9326CED853BD94AC38609378F3A6A402FCDF866160EBE5E57608D11833
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

101

Origin country :

n/a

Vendor Threat Intelligence

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/62655/

Detection(s):

SecuriteInfo.com.Trojan.PWS.Siggen2.55377.27944.28253.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Unauthorized injection to a recently created process

Creating a file

Launching a process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/468763

Signature

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

Antivirus / Scanner detection for submitted sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Sigma detected: Suspicious Double Extension

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/954bbd9e612117e2fa3f8c71e72ca98461f7ec20fc028d9910f8629cd170ec2b/

Threat name:

ByteCode-MSIL.Infostealer.Agensla

Status:

Malicious

First seen:

2020-09-17 03:47:44 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=svf33htbeel6f6r7rry6olfjqrq7p3ba7qbi3giq7brjzulq5qvq._file

Verdict:

suspicious

AgentTesla

277848fe676c925becc15a494855ccbc42ee8e2e88cf61144d7de703c82250a0

AgentTesla

37a4202e64f88ef928f46cdb05653527a1201aaffd431022eececff19348515b

AgentTesla

3a8afa181b83a479c7c476791061dd4a7df56a59e21bcb72f0c8a32d76b66d5b

AgentTesla

4d6a4c556af5a4e4a05ca5aadb976af1f792bb509cd17cf26aa2ca3081317e3c

AgentTesla

7b4a3076004fb5f7f9b88f3e0d6bd24caa597393bbfa614c2d9f6e028846a957

AgentTesla

a6871feb491e3c89b11f1ff949f92548a6a1e74a498c41a025a478f51b55c42b

AgentTesla

b98ed6a71c93bc3722112643bea2bbe8767e016d807e0463266ee2fd47ad9e80

AgentTesla

c18d20986c78642ced7ac827d0436033e931d6bfad38b70ab4473cea1da792a2

AgentTesla

dde5198a36a325023e0381c7102067145700653585666a5dcbd5e1c4362d35d8

AgentTesla

+ 39 additional samples on MalwareBazaar

Result

Malware family:

n/a

Score:

9/10

Tags:

n/a

Link:

https://tria.ge/reports/200917-hpbmj9dzm6/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

ServiceHost packer

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

AgentTesla

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/954bbd9e612117e2fa3f8c71e72ca98461f7ec20fc028d9910f8629cd170ec2b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

rar da629d5263063ea207912eeac507ba8e6e3d8a0f841040f2ecdb383d0196d655

AgentTesla

exe 954bbd9e612117e2fa3f8c71e72ca98461f7ec20fc028d9910f8629cd170ec2b

(this sample)

Delivery method

Other

Dropped by

SHA256 da629d5263063ea207912eeac507ba8e6e3d8a0f841040f2ecdb383d0196d655

Dropped by

SHA256 a89538eb67514a59db1306da423ab0ba3d261892df4fbb908943b867dd41f95d

Cape

https://www.capesandbox.com/analysis/62655/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample