MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9a5a7dce1e345ff5dd0d170322b3c02f05511b581f5b3a3e1647d29fef71f8b8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 11


Intelligence 11 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9a5a7dce1e345ff5dd0d170322b3c02f05511b581f5b3a3e1647d29fef71f8b8
SHA3-384 hash: 92b54faa115078bc5757da8b44be0a678b4603a8a38223b415c74edef09f2e00989399d899303764c293717dd39e4aa1
SHA1 hash: 6e222b8e4e31800a9158cbe17e27a4292f3bc095
MD5 hash: 0c463891cf00792bf2b4c833e7d23dcc
humanhash: whiskey-robert-grey-seven
File name:URGENT PO.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:919'552 bytes
First seen:2021-05-25 09:31:16 UTC
Last seen:2021-05-25 10:01:54 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:sJqygTbPC5lYNdsuqx3IXm2uZ47ROAPRWEgHWUaVxfyf3co9gQoFT0waNJy:sL5lOdyx7Z4fwVHWdx86x10H
Threatray 5'263 similar samples on MalwareBazaar
TLSH C415AD2C612EF126C1A8C2794AC5983BE850DF377030BD65ECD77B595B39E40B98227E
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
2
# of downloads :
113
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
URGENT PO.exe
Verdict:
Suspicious activity
Analysis date:
2021-05-25 09:34:59 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/95428114-55c3-488f-99a8-0fe8aeeb374d

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/161826/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/791369
Signature
.NET source code contains very large array initializations
.NET source code contains very large strings
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/9a5a7dce1e345ff5dd0d170322b3c02f05511b581f5b3a3e1647d29fef71f8b8/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-24 19:16:07 UTC
AV detection:
14 of 28 (50.00%)
Threat level:
  1/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tjnh3tq6grp7lxinc4bsfm6af4cvcg2yd5ntupqwi7jj733r7c4a._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
12aca308f4e8bf9d42f8f01ac64b171c5851ffc356222feaafab2a84f307de75
AgentTesla
1cb0c85a07569475b00ff82ad4b7f651c3fafaa1beaef1d4c7a86cfa56bfdb5e
AgentTesla
2a31ce352dedfe83426a33aea06b929ca39d4563434113c0ac4e2d7c1a6eaa0f
AgentTesla
70c093150fa3fde11e3929a1f232ab3a9183efc85bc324e47806eb228cd1c891
AgentTesla
88599325d0c3b5a76bd9815fb19d6a9efb66c9ba213838845c389990429ff70a
AgentTesla
a3d8fe6c96c7cdd697e0f0b2b151891e0082aef6c1d41b01fa7ce50e3d6d640c
AgentTesla
a644d61c1443b8355b00be70da09b63f791bd9ddfad2410648a32ff0cfe2eeab
AgentTesla
cac668b50ea54195a30a9a5bfb64ff95fcc22db46c6f3c993581911c332cfbea
AgentTesla
ebd27ef6fbbbf184d596b9fb113c92c32546abe2a379c12707691e43dfb73472
AgentTesla
fc19eafdcfe6ae03a37ac61ee6fc5fb2c1cf57172c2754dce4aefc3c8a35c976
AgentTesla
+ 5'253 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210525-gep627at6e/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9a5a7dce1e345ff5dd0d170322b3c02f05511b581f5b3a3e1647d29fef71f8b8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9a5a7dce1e345ff5dd0d170322b3c02f05511b581f5b3a3e1647d29fef71f8b8

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/161826/

Comments