MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95b9a66abb8bb765e9a831ee0da955a879fbda3d8b52174f69aa4db7ca53ba09. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95b9a66abb8bb765e9a831ee0da955a879fbda3d8b52174f69aa4db7ca53ba09
SHA3-384 hash: 17cd8ba65efc829588c3cd3008865950eef86f5c112b99322d33b6286821109117e35c35c830ffec0992616fd1e1c18d
SHA1 hash: a6f76b50e0b0ee768eda5e0142342a16a99e226d
MD5 hash: 82142131204334c2eb6835617a1ae785
humanhash: alanine-sink-two-beer
File name:SHPT-Comp Docs & Invoice Duty _ P.list Phyto Cert-End_Use.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:800'072 bytes
First seen:2021-02-08 06:35:17 UTC
Last seen:2021-02-08 09:08:37 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 0f3b9aa4dc1bf9f845ef0335e50b9bfb (3 x RemcosRAT, 2 x Loki, 1 x AgentTesla)
ssdeep 6144:lFPWRHiwr74CdbpWOe00Ve7qDp83g7a203SC5ExNGWlEV23cfuF/NXOklLwpzsNo:fORH5bWOSpGya2XsVybdEtszBArlwb4
Threatray 63 similar samples on MalwareBazaar
TLSH 86057CE572408976E0362BBC8C4653A40527BCC0A91D1A4F8BB8FF0B6E747997DDD06B
Reporter cocaman
Tags:AgentTesla exe signed

Code Signing Certificate

Organisation:MEDIATEK INC.
Issuer:Symantec Class 3 SHA256 Code Signing CA
Algorithm:sha256WithRSAEncryption
Valid from:2015-08-24T00:00:00Z
Valid to:2017-06-24T23:59:59Z
Serial number: 635517466b67bd4bba805bc67ac3328c
Intelligence: 6 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: d95697633ca6617fc3936148dccdcbcf3626430631889b134626e6442267dc2f
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform

Intelligence

File Origin
# of uploads :
2
# of downloads :
99
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
SHPT-Comp Docs & Invoice Duty _ P.list Phyto Cert-End_Use.exe
Verdict:
Malicious activity
Analysis date:
2021-02-08 06:36:39 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/570b6467-2e37-42bf-b806-c547e1a0c22a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/116006/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Suspicious
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending a custom TCP request
Creating a file
Deleting a recently created file
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/601501
Signature
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Svchost Process
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95b9a66abb8bb765e9a831ee0da955a879fbda3d8b52174f69aa4db7ca53ba09/
Threat name:
Win32.Trojan.Delf
Create hunting rule
Status:
Malicious
First seen:
2021-02-08 06:36:08 UTC
File Type:
PE (Exe)
Extracted files:
68
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=sw42m2v3ro3wl2nighxa3kkvvb47xwr5rnjbot3jvjg3psstxieq._file
Verdict:
malicious
Similar samples:
235602d2819de318cb16c1653d3e2500b64688ad18f8f4e960dff1ab0b7e4b74
AgentTesla
357ab6a0cf97d36af99606bce098c476c4a24085f4d972038b11b3570486d620
AgentTesla
56fec820ce36b3b5f155dba31e5ba880078fc7bcc6420fc2fb4ca5af6ac5725b
AgentTesla
5edcaa5dd9d8d6726e02b8bd53b8c8695d781d9c324ac4805da72daf3cf5df0d
AgentTesla
895d91361b7463bb678ee12f902579a5897d72bc0717784bdf017e703b3097fd
AgentTesla
a8889ff384c38b97b5a48ef4e9586df7c281f40e2719fe248b0d252832969521
AgentTesla
aa9c1ce82c3c4c29355c38931c6cc6e1cd1414051c772de3fbf0cd9439c52965
AgentTesla
f22c7b400f9e06797188424e3a849218cb7a1fd76437a988f60391fa5e17dfca
AgentTesla
f4f0c2b0fcc641a850b0aaf356f5119f7d6568be3d4b5251a6c6dec1b3e7920f
AgentTesla
f631405eb61bdf6f6e34657e5b99273743e1e24854942166a16f38728e19f200
AgentTesla
+ 53 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/210208-w6vqlpbh2a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Enumerates connected drives
AgentTesla
Unpacked files
SH256 hash:
38919c96274afe44c440fa298fc363e1217dfa355da38dd4de2ef213808870c2
MD5 hash:
c3d226b590a22cb9f1aa308748ff47dd
SHA1 hash:
64504ed945df46476fc3ac19dd42972966206e52
Link:
https://www.unpac.me/results/142e7c05-5b31-4d1f-92e5-204ea0b21263/
SH256 hash:
95b9a66abb8bb765e9a831ee0da955a879fbda3d8b52174f69aa4db7ca53ba09
MD5 hash:
82142131204334c2eb6835617a1ae785
SHA1 hash:
a6f76b50e0b0ee768eda5e0142342a16a99e226d
Link:
https://www.unpac.me/results/142e7c05-5b31-4d1f-92e5-204ea0b21263/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Cryptor
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95b9a66abb8bb765e9a831ee0da955a879fbda3d8b52174f69aa4db7ca53ba09

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

r00 0868083e693208f19cd0f8b4896886fe6d7aa7ce3146139dd6665c5b08fbd520

AgentTesla

Executable exe 95b9a66abb8bb765e9a831ee0da955a879fbda3d8b52174f69aa4db7ca53ba09

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 0868083e693208f19cd0f8b4896886fe6d7aa7ce3146139dd6665c5b08fbd520
Cape
Cape
https://www.capesandbox.com/analysis/116006/

Comments