MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd
SHA3-384 hash: 624a6c3758e4140a617f0be55789ab84366b49618c33564261ee1b81b5f8cbc1bca039a6d274926ffe4a3fa9815544e8
SHA1 hash: e95398199e3d809ef34a3340f126533c28389f35
MD5 hash: 3e0a584332e0c90fd2cdf3032ec8e617
humanhash: virginia-montana-georgia-indigo
File name:Acil Siparis.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:598'528 bytes
First seen:2020-10-16 17:44:06 UTC
Last seen:2020-10-16 19:22:45 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:aRBvDd0TNebyjYaFL7gdHB5vqssEGGMjw5lQkm:aSTz7FL7gBTvqssErMjj
TLSH A5D47CBD6A44E52DED5E5D33C89038EAD12C7C670E4FF107985329DCAC1E291DAB20B5
Reporter abuse_ch
Tags:AgentTesla exe geo TUR


Avatar
abuse_ch
Malspam distributing unidentified malware:

HELO: playsoft.it
Sending IP: 212.35.197.96
From: Tuncay AYKAƇ <tuncayaykac@ditas.com.tr>
Subject: Acil Siparis Talebi
Attachment: Acil Siparis.img (contains "Acil Siparis.exe")

Intelligence

File Origin
# of uploads :
2
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/72216/
Detection(s):
SecuriteInfo.com.Artemis3E0A584332E0.11543.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/494063
Signature
Found malware configuration
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd/
Threat name:
ByteCode-MSIL.Trojan.Bluteal
Create hunting rule
Status:
Malicious
First seen:
2020-10-16 10:36:40 UTC
AV detection:
22 of 29 (75.86%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=tycfeb7ih2jxugc4fisbrnkyfv25lx2s7zx2ksvoeyylybch336q._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
keylogger stealer spyware trojan family:agenttesla
Link:
https://tria.ge/reports/201016-y9dp1x8bns/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Program crash
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd
MD5 hash:
3e0a584332e0c90fd2cdf3032ec8e617
SHA1 hash:
e95398199e3d809ef34a3340f126533c28389f35
Link:
https://www.unpac.me/results/b0cc982b-8fc0-4289-83d8-3c5fb702c5a2/
SH256 hash:
f4553070de9009b1490c00c61bc9e6b167044a279226cdbad3cfc820702bf77a
MD5 hash:
15d44e4e9c6635f0d6f90d95f760f27f
SHA1 hash:
046bc1ed19e63a4b37c9a70de3d0be1c60d37137
Link:
https://www.unpac.me/results/b0cc982b-8fc0-4289-83d8-3c5fb702c5a2/
SH256 hash:
fbb286a5e92adcf74bfbe27a9ae9bf5462c65ae8f2fc77c69c927bd00ba081cf
MD5 hash:
c91d728573e0ad9543139c6751a41066
SHA1 hash:
b80e784725283481d0b37ddb8379fd13f39de3a1
Link:
https://www.unpac.me/results/b0cc982b-8fc0-4289-83d8-3c5fb702c5a2/
SH256 hash:
b192a77891224d76c1c1eec544ad3aa2f5125925aff59af336ad010f287c4776
MD5 hash:
dd408c2aadd8229051e43b866aedf07e
SHA1 hash:
f73fc46afe3c4e6f79fdfc6e7d11fad84f93ecd9
Detections:
win_agent_tesla_w1
Create hunting rule
Link:
https://www.unpac.me/results/b0cc982b-8fc0-4289-83d8-3c5fb702c5a2/
Parent samples :
071ba6fa9eef804d528534c2fc314365ab5a4b2dcffdd90eb2bffaabc57ab987
9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.69
Link:
https://yomi.yoroi.company/submissions/9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

img 65783f55d1608b26a6f3d80491e37c1b80c73e5a9abf4cce34340abbe87dcd26

AgentTesla

Executable exe 9e045207e83e937a185c2a2418b5582d75d5df52fe6fa54aae2630bc0447defd

(this sample)

  
Dropped by
MD5 1f2c1eb2d9450f26d74b5cc2950f3980
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/72216/
  
Dropped by
SHA256 65783f55d1608b26a6f3d80491e37c1b80c73e5a9abf4cce34340abbe87dcd26

Comments