MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a02ddaa108e3ffefb5b7024adf7190b5eadbd7b73d91f7380aeaffbd01b4cbf4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 8

Intelligence 8 IOCs YARA 2 File information Comments

SHA256 hash:	a02ddaa108e3ffefb5b7024adf7190b5eadbd7b73d91f7380aeaffbd01b4cbf4
SHA3-384 hash:	0574114a3f5cf4ac9080d9925f2e86ed1c80b2ebf78e948edf4441965ae672e7adf8b60fd1cfac00ad9808974671c59b
SHA1 hash:	a567384f56c19f8455c3ba020a9ca6fd00002866
MD5 hash:	66a773113e9571a4ccdfd83f6a35d12d
humanhash:	august-september-delta-cola
File name:	Order list.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	587'776 bytes
First seen:	2020-10-27 08:26:16 UTC
Last seen:	2020-10-27 10:10:23 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'660 x AgentTesla, 19'469 x Formbook, 12'208 x SnakeKeylogger)
ssdeep	12288:d5A11b/L5rr98tPtHQKEcT4nsGCqWzlRyDzpZZud9:d5el/L5daPmrnLCqGlRuZud
Threatray	788 similar samples on MalwareBazaar
TLSH	50C4230E33DC0866DD4F8678997053044FB1D642A64AEF6E99CCEDD6A6233E41A806DF
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing AgentTesla:

HELO: mail.kenyabroadbandsolutions.co.ke
Sending IP: 89.32.144.218
From: Sonia ZY Lahleh Supply Assistant <info@araxmillsltd.com>
Subject: New Order list
Attachment: Order list.pdf.z (contains "Order list.exe")

AgentTesla SMTP exfil server:
us2.smtp.mailhostbox.com:587

Intelligence

File Origin

# of uploads :

# of downloads :

Origin country :

n/a

Vendor Threat Intelligence

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/79679/

Detection(s):

SecuriteInfo.com.Artemis66A773113E95.3399.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Launching a process

Creating a file

Using the Windows Management Instrumentation requests

Unauthorized injection to a system process

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/513036

Signature

.NET source code contains very large array initializations

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Maps a DLL or memory area into another process

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/a02ddaa108e3ffefb5b7024adf7190b5eadbd7b73d91f7380aeaffbd01b4cbf4/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2020-10-27 00:37:45 UTC

AV detection:

23 of 28 (82.14%)

Threat level:

5/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=uaw5viii4p767nnxajfn64mqwxvnxv5xhwi7ooak5l732anuzp2a._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

13af8f732fea5ea0c0c60a400deb50a66677d5e70b3988766728e12a4283348b

AgentTesla

2d5c8fa975518fd2ce9dbe0ea412b4b2e20f56706bfac1bb58cb527d6b60af14

AgentTesla

53b07a538e3dd7aa21d1977941d4d062c8dbfa4de84314f083557a94ba171607

AgentTesla

63e8813f98c05a02ae1c868adf8ca82aabc49e5eadd33368f036440d4116849e

AgentTesla

6980aeb611a463dd259e89d31b6a85a4b4363ead441790e55869c4073f533c0f

AgentTesla

79741ae5b4b9be50e38207c9783a8dca3e6f406695802da271ea4fac14ea3144

AgentTesla

9d36d33688fefea55f7b2b7c25165ab3a85319b5f466174fa2396537187eabe0

AgentTesla

b4f20bb869575d8b20aaf614f422f6a889ed24d9a6031564235ff3f7a7a97bdc

AgentTesla

db14356168d27875343339ce3629b4c73b00a7df7e3be524eaeb508cc4663b5f

AgentTesla

+ 778 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

spyware keylogger trojan stealer family:agenttesla

Link:

https://tria.ge/reports/201027-1d3zz1smxx/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.