MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 95c2f374fd9468f5a11b3df947216dfef2e5cc93215ed1b84231f99f7a844b56. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 95c2f374fd9468f5a11b3df947216dfef2e5cc93215ed1b84231f99f7a844b56
SHA3-384 hash: 18c90c81b7570a6ef88cc60d99447782a68aaa41647aadbc7b9b919dbc6d84b3e9f57666e0fe82e3bdb8946df6ceccf5
SHA1 hash: ec19cf76f13d4ca3d06c7e7303fef7a9e22da47b
MD5 hash: 09b43ae43676eeddbbe0160b4e101be5
humanhash: ceiling-minnesota-hot-winner
File name:09b43ae43676eeddbbe0160b4e101be5.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:387'584 bytes
First seen:2020-10-06 07:27:23 UTC
Last seen:2020-10-06 09:14:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 3072:pLC6jSxeAWKf+0J4shKDZtjk7r2kZz0OyB1BgAvIQBoqi88mQl69oXjbDNKYDb1V:MiKf+0/hitjkl6VgFcoqn9onD4Epv0
Threatray 159 similar samples on MalwareBazaar
TLSH 38847BBD39971B2CC969073580F644C2FA3A16C23F658A0DA29BA31D1E9370F975335E
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
131
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/68510/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Creating a file in the %temp% subdirectories
Creating a file
Creating a process from a recently created file
Using the Windows Management Instrumentation requests
Reading critical registry keys
Unauthorized injection to a recently created process
Unauthorized injection to a recently created process by context flags manipulation
Stealing user critical data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/482520
Signature
.NET source code contains very large array initializations
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/95c2f374fd9468f5a11b3df947216dfef2e5cc93215ed1b84231f99f7a844b56/
Threat name:
ByteCode-MSIL.Trojan.Kryptik
Create hunting rule
Status:
Malicious
First seen:
2020-10-06 07:29:04 UTC
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=sxbpg5h5sruplii3hx4uoiln73zoltetefpndoccgh4z66uejnla._file
Verdict:
unknown
Similar samples:
0442367788ead3ccf0c9a36805053be48c332ab656f51667f4c08cbbfa3f3ac0
AgentTesla
0e7ba6c8acc0e3de5a31e050eb287daba683c992e12c4715730ef3ccf3bbf575
AgentTesla
1ef855f52b63ceffa3fd30b6bc04bc3a2ffb64a6926d4bca436c0be6456cfd84
AgentTesla
7ff17265ef53a76f3f15ca48db077a3c5dd3d0a5117e0fdfede0f7b32aa6d3a7
AgentTesla
891cd769c1731bfaa4051041a3f48cab616cadc9ddc94cc090d3d6d3194015fa
AgentTesla
b796ebc23a355b8fbd29552b2ff7142f09617c25a30a33d5a92626f69e337d48
AgentTesla
c62ef08103c30d5d2d18fbc2eff820985af40aa377828ef72c3ecad495103511
AgentTesla
ca86c76c753d3c8812228b08c1459bdee50a40b0aa36460906e452f80258c1b7
AgentTesla
d4557d36508f2a62bbb7e58cc6b8a5d1f9588810485b04adf4cc100ee925687a
AgentTesla
f6dc39be69fcb6613defba0c9d8428d71c2a02b118383d4a49a66c6139e690fd
AgentTesla
+ 149 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  8/10
Tags:
spyware
Link:
https://tria.ge/reports/201006-t52n3vgb9s/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Executes dropped EXE
Unpacked files
SH256 hash:
95c2f374fd9468f5a11b3df947216dfef2e5cc93215ed1b84231f99f7a844b56
MD5 hash:
09b43ae43676eeddbbe0160b4e101be5
SHA1 hash:
ec19cf76f13d4ca3d06c7e7303fef7a9e22da47b
Link:
https://www.unpac.me/results/8497ec50-ad86-4aea-ae36-9bacb6170cf0/
SH256 hash:
b80155dbd80f8bc5d3f59e08df47aefa42e73612aac6e8845fad3cae516cbdb0
MD5 hash:
0478256ba4237f2e33b77f8127d9a145
SHA1 hash:
560f2cd098bd81c18174d980652b28a8c90c48e2
Link:
https://www.unpac.me/results/8497ec50-ad86-4aea-ae36-9bacb6170cf0/
SH256 hash:
d065744c83c37b059fd345011b6c21297a5de8bc5ebbc93f05add6315bee770a
MD5 hash:
17d8bbf85363bf3ca0f6b4d0154dfeb7
SHA1 hash:
6295dcb6bfd8907d47b3db14d0d4b230c4f07186
Link:
https://www.unpac.me/results/8497ec50-ad86-4aea-ae36-9bacb6170cf0/
SH256 hash:
a19bd61401c2ccac70bcc3b1585f5c809403dfe4500d7ec48ab0e1ee97e70cdb
MD5 hash:
e295351056fdc881f4b0fcc3f6c7d38c
SHA1 hash:
a135d42f2d859ecf003604abe4b548bfff05b1e4
Link:
https://www.unpac.me/results/8497ec50-ad86-4aea-ae36-9bacb6170cf0/
SH256 hash:
19d9922060be89a70b76e5c0056e751f1baa5d41819235c92cf4f5d7668e1267
MD5 hash:
811864a0b06c529af894a7fec6ddbf47
SHA1 hash:
d35b82933eb06a6ec60e8cbbdb65eb6cdcaeb6d2
Link:
https://www.unpac.me/results/8497ec50-ad86-4aea-ae36-9bacb6170cf0/
Parent samples :
afa2f55e149097f9b250142bbfd94d9d56d10649c96adb079fdb0dfdac7c6660
69e2ae11e1b5cbe120bf02301191a1cf05e87fc09b09d63bd782abbf3615d05d
0b778873c94f6bc89a40294c0e85a38ab82509260cd2a2e8b73d00c5c90e8757
7ddfa6f44a60f4b894321f6977f8121cfb371c3c61ac872c58ba61fd5ee13deb
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/95c2f374fd9468f5a11b3df947216dfef2e5cc93215ed1b84231f99f7a844b56

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68510/

Comments