MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 96f626870e2520e8a59b54ba0b232dad58f1a66942781c9b3951a6b1cab29b0c. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 96f626870e2520e8a59b54ba0b232dad58f1a66942781c9b3951a6b1cab29b0c
SHA3-384 hash: 9372077e9ed1a780469efe56508698c01f1d417f5ec55b5a2f58403c86183bd8dcaf4a67743a59572032a509cc81b123
SHA1 hash: 203afa77a19306e6f1e8772d21a836a6de2e9d83
MD5 hash: c1aabe13455e27d795b57846c15bc002
humanhash: carpet-leopard-tennessee-mockingbird
File name:IMG_20201103_00184197413227348173.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:483'840 bytes
First seen:2020-11-06 07:37:15 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'657 x AgentTesla, 19'468 x Formbook, 12'206 x SnakeKeylogger)
ssdeep 12288:UV02NY8QFhe7IaxZni4V2i6xFF17NaXs+inEAmD:Ueyaza3FN6r7Ssl
Threatray 134 similar samples on MalwareBazaar
TLSH 33A49EF871195CA5F52F4636D9A9BDA402B23E53CACBA84C52BCF65316F3362BD0180D
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: smarthost1.orion.rs
Sending IP: 77.105.0.34
From: Massimiliano Melloni <mellonei@tecno-gru.it>
Subject: INQUIRY
Attachment: IMG_20201103_00184197413227348173.img (contains "IMG_20201103_00184197413227348173.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
79
Origin country :
n/a
Vendor Threat Intelligence
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/522223
Signature
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/96f626870e2520e8a59b54ba0b232dad58f1a66942781c9b3951a6b1cab29b0c/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-11-06 01:40:05 UTC
AV detection:
21 of 29 (72.41%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=s33cnbyoeuqorjm3ks5awiznvvmpdjtjij4bzgzzkgtldsvstmga._file
Verdict:
unknown
Similar samples:
07cd96e62ab4c7dda66eebc73deceb557a6634c273395d71e410fc7033f9d8b5
AgentTesla
1f63aff33db6b9a2920969f2f8d4ccb92f745596881cfa3fc9f651162aa43e88
AgentTesla
2800f779fcf9eb82626c08e19c5c2a46a149a1a0d046ef79c6c9ac1a44c6017e
AgentTesla
2e7fb1942902bbea5c1fbaa31a479c473e4d4143b43d767616e25cca1e52f2a2
AgentTesla
334ab59399997e54878083e726a2dbc5d41f844025742b4ea35921a93bf24d68
AgentTesla
373ea9d6b1b0a80139154d2923416f3989c697ed248eee940331b88afacea073
AgentTesla
3e04c6db7fc715a376f13110e1f00da3a88ec6a934b6f164a9f1e0424d01a6da
AgentTesla
c5216e025f487ad72623e702871432afa40739fc1d2b24fca4bcbd7f009d0064
AgentTesla
f089cbd6d20afda4f1e00ed09abd44c9f271c8db61bbb1ce07048fadda34b1ec
AgentTesla
f597dd6da2eee93a18a174b4579b95e038ee31e88bde5fd470fdf2fd3fbfbf46
AgentTesla
+ 124 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/201106-xpyeywxa7a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
96f626870e2520e8a59b54ba0b232dad58f1a66942781c9b3951a6b1cab29b0c
MD5 hash:
c1aabe13455e27d795b57846c15bc002
SHA1 hash:
203afa77a19306e6f1e8772d21a836a6de2e9d83
Link:
https://www.unpac.me/results/bb1ba0c7-12c7-4771-a8e6-2b12d8607db6/
SH256 hash:
6adeed5150d0922547984ea05e57e0366963e68128bdba564456a4f978e63669
MD5 hash:
159fa44267e80f0e37b0eb89dfe19473
SHA1 hash:
aedbb41d6391f87d8a9f57228849bee0be0a3abc
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/bb1ba0c7-12c7-4771-a8e6-2b12d8607db6/
Parent samples :
149dfe878fdf84ef902fb91ad1eab30865dc2f751f1a05324d0947e130b939e8
90e924dabd3353c5a2ed1c8e623260c1589042eb472df640b22d4e41d75db920
e8da65e395c309509563df99675f2ddaa5339b55fd944867a479ffc5d3639946
96f626870e2520e8a59b54ba0b232dad58f1a66942781c9b3951a6b1cab29b0c
SH256 hash:
64f9bb91488c5745407be8e9a3cbd99a784a38f85518e5cd189ff1774e7dbc7a
MD5 hash:
57aefaf191ca0eece674d9b75ea4a764
SHA1 hash:
d48550925cce3e85c8b01eb51cae50a8ca749d5d
Link:
https://www.unpac.me/results/bb1ba0c7-12c7-4771-a8e6-2b12d8607db6/
Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img ec173736b54bc2f4c5572072687948624400f5c1cf742ef6f629af040711ba3d

AgentTesla

Executable exe 96f626870e2520e8a59b54ba0b232dad58f1a66942781c9b3951a6b1cab29b0c

(this sample)

  
Dropped by
MD5 df3ef3f39103f1a858a5d7ff7e11fb51
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 ec173736b54bc2f4c5572072687948624400f5c1cf742ef6f629af040711ba3d

Comments