MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
SHA3-384 hash: 31b34c67afd7a93663af10af0f49ffd998eaaae4c534231df4319c7b08b7d81b1dd0842d82f57bf32a0b231942d1920d
SHA1 hash: 0a9addd9a2c37b2c0906206989005ae3b401e9ee
MD5 hash: 209d81d02e23842fd7662f93633c7d12
humanhash: bakerloo-wisconsin-carolina-georgia
File name:PO-448-Order Request.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:702'976 bytes
First seen:2020-10-13 05:58:17 UTC
Last seen:2020-10-13 07:08:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'661 x AgentTesla, 19'474 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:1SXcA/6kFHwXiaCR8kCUaMJBDJEeHKW7Av4K1cO5MmzZ4V:1+l/6kFHwSaC3aMjTKsAv4Kiam
Threatray 589 similar samples on MalwareBazaar
TLSH 0AE4E07B72E89F22E03EDBBD5920498007F2E986F716D54F7DBA11E94153F920BA1213
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing AgentTesla:

HELO: [199.43.204.178]
Sending IP: 199.43.204.178
From: DANSON ELECTRONICS PTY LTD <bbgsales@indiaelec.com.sg>
Subject: PO-448-Order Request
Attachment: PO-448-Order Request.exe

AgentTesla SMTP exfil server:
mail.totallyanonymous.com:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
92
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70270/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.445.32657.6373.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/489213
Signature
Disables Windows Defender (via service or powershell)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 297059 Sample: PO-448-Order Request.exe Startdate: 13/10/2020 Architecture: WINDOWS Score: 100 37 Multi AV Scanner detection for submitted file 2->37 39 Yara detected AgentTesla 2->39 41 Yara detected AntiVM_3 2->41 43 4 other signatures 2->43 7 PO-448-Order Request.exe 1 4 2->7         started        process3 file4 33 C:\Users\...\PO-448-Order Request.exe.log, ASCII 7->33 dropped 45 Writes to foreign memory regions 7->45 47 Disables Windows Defender (via service or powershell) 7->47 49 Injects a PE file into a foreign processes 7->49 11 RegSvcs.exe 7->11         started        15 powershell.exe 25 7->15         started        17 powershell.exe 23 7->17         started        19 12 other processes 7->19 signatures5 process6 file7 35 C:\Users\user\AppData\Roaming\...\gqdBJdt.exe, PE32 11->35 dropped 51 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 11->51 53 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 11->53 55 Hides that the sample has been downloaded from the Internet (zone.identifier) 11->55 21 conhost.exe 15->21         started        23 conhost.exe 17->23         started        25 conhost.exe 19->25         started        27 conhost.exe 19->27         started        29 conhost.exe 19->29         started        31 9 other processes 19->31 signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab/
Threat name:
ByteCode-MSIL.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-13 01:18:15 UTC
AV detection:
20 of 29 (68.97%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=tqwajqhvssgir7jaqd4rd7y7vwxueeblkezetxoa5kdh24lxf6vq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0afff32555fbbdc301d9ffc446e9bebe445d3b186a80bcdbf54342c61e4b4a4d
AgentTesla
66c8e38b2f545edd7660168b8e778c165f200867abb90cd07c2f033ea1ae8405
AgentTesla
7475282fc3b82d0f60ccf30aba39303bc16c9a7a314382560a300dca7257d9f9
AgentTesla
7f717f3d6242070c4f59575f510fa366e5cbd6c17ad484c0735fca89e365a351
AgentTesla
83c594ac88f5f244b256a60178ece0bf715c3c4ef0d93973ff0a741453b71ba1
AgentTesla
b3c33339d1d526eebdd71c8ce0d1f3d0a12be1d5325e7678924e2bfc29a84181
AgentTesla
b6dac3c563e7b771fa56992d6c5ac321278e8ff4653b5f50f283855e672cdb3d
AgentTesla
d8dc17c4b3642e45151c21b7e02f12cda99c8c5ee51549a6f271c3ea1b436c3d
AgentTesla
df2618236af018e94e2c167826edfed81faab5a6c5ace255d84d9f07296a63c7
AgentTesla
e00ba7b865f84ff41de5217b89fb197f5559c137c48d6d84313252cd459f4b12
AgentTesla
+ 579 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  10/10
Tags:
evasion trojan persistence
Link:
https://tria.ge/reports/201013-bslwtkblm2/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Adds Run key to start application
Windows security modification
Modifies Windows Defender Real-time Protection settings
Unpacked files
SH256 hash:
9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab
MD5 hash:
209d81d02e23842fd7662f93633c7d12
SHA1 hash:
0a9addd9a2c37b2c0906206989005ae3b401e9ee
Link:
https://www.unpac.me/results/0ebe6b69-c6d5-48e2-963a-5630604f2819/
SH256 hash:
0b18b8438a7227f464a1c512e662f37c36589f622fb1257ddead86afdf71ba5f
MD5 hash:
30cff88f5f556a559e6627e3a71c184d
SHA1 hash:
1359b83ab4237c001a1ac35e5545abf50b246a91
Link:
https://www.unpac.me/results/0ebe6b69-c6d5-48e2-963a-5630604f2819/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/0ebe6b69-c6d5-48e2-963a-5630604f2819/
SH256 hash:
8ea12503a7748f527c5f3ae6626d23da56142d19d3eddd61a5f222749d6e02b2
MD5 hash:
4fe2a04137e1ddff3e5b60db76410dd1
SHA1 hash:
42a3631ba053a0deeb6ca7d5693964d06ceaee82
Link:
https://www.unpac.me/results/0ebe6b69-c6d5-48e2-963a-5630604f2819/
SH256 hash:
bce98d1e4215eac6be6f90ca3e0d2e7888faa12ff29464dbe6497a5f67ce7ebc
MD5 hash:
aa1f02082a994fa5ade4e64a5ac4cebc
SHA1 hash:
b8fd288803561ef73c0f67c263e7a1a362dd494f
Link:
https://www.unpac.me/results/0ebe6b69-c6d5-48e2-963a-5630604f2819/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe 9c2c04c0f5948c88fd2080f911ff1fadaf42102b513249ddc0ea867d71772fab

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70270/

Comments