MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0940b4fc077c18fe05d3b52458591383f22504a963e1f7c88c3ef7e07920fb9. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 3 File information Comments 1
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0940b4fc077c18fe05d3b52458591383f22504a963e1f7c88c3ef7e07920fb9
SHA3-384 hash: 3617dfb1da1c57e84f0122671c8e19e9cb89b891a38073fd46d638cacabdfddcf93bf2c969fcaaf90205be37960b440d
SHA1 hash: 2e9fa30dd3747fece7ee3d90d20dc7dcad5bd8eb
MD5 hash: 5e58e1e3a97f41b316b0c6f741437957
humanhash: michigan-rugby-social-wolfram
File name:5e58e1e3a97f41b316b0c6f741437957
Download: download sample
Signature AgentTesla
Create hunting rule
File size:434'688 bytes
First seen:2021-10-06 09:00:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'743 x AgentTesla, 19'608 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 6144:eG7neQ+3HwOqTz73lboupKwyMCCvUuqyNURjnAoS8hoQ9771mFFyO6Gxr/WuG7Zq:hnnoqn73DKwyAXNUtnAi9lmFFHBYBO
Threatray 10'821 similar samples on MalwareBazaar
TLSH T1D394015DA3374205CD2FC7F02850ABA217795D32216ED3750B9AA0FE2FA7BB01ED4592
Reporter zbetcheckin
Tags:32 AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
172
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
5e58e1e3a97f41b316b0c6f741437957
Verdict:
Malicious activity
Analysis date:
2021-10-06 10:22:25 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/f61e13f2-6e16-450f-b42e-4d477f4bd93a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/195371/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.935-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
Creating a file in the %temp% directory
Delayed writing of the file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/615d65d298a6280f3932cf7d/reports/b73d310c-8f9c-42f9-85c1-09bcb148bc8b/overview
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/7bcb7ab4-240e-4dca-a1c5-78a94919b4a5
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/865373
Signature
.NET source code contains very large array initializations
Contains functionality to register a low level keyboard hook
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Moves itself to temp directory
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 497799 Sample: 8GbKm02TKb Startdate: 06/10/2021 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Multi AV Scanner detection for dropped file 2->35 37 7 other signatures 2->37 7 8GbKm02TKb.exe 7 2->7         started        process3 file4 19 C:\Users\user\AppData\...\WmgvlxHWqnK.exe, PE32 7->19 dropped 21 C:\Users\...\WmgvlxHWqnK.exe:Zone.Identifier, ASCII 7->21 dropped 23 C:\Users\user\AppData\Local\...\tmpF592.tmp, XML 7->23 dropped 25 C:\Users\user\AppData\...\8GbKm02TKb.exe.log, ASCII 7->25 dropped 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 7->41 43 Contains functionality to register a low level keyboard hook 7->43 45 2 other signatures 7->45 11 8GbKm02TKb.exe 2 7->11         started        15 schtasks.exe 1 7->15         started        signatures5 process6 dnsIp7 27 jtinti.com 67.20.76.217, 49818, 587 UNIFIEDLAYER-AS-1US United States 11->27 29 mail.jtinti.com 11->29 47 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->47 49 Moves itself to temp directory 11->49 51 Tries to steal Mail credentials (via file access) 11->51 53 3 other signatures 11->53 17 conhost.exe 15->17         started        signatures8 process9
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0940b4fc077c18fe05d3b52458591383f22504a963e1f7c88c3ef7e07920fb9/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-10-06 09:01:09 UTC
AV detection:
15 of 45 (33.33%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=uckawt6ao7ay7yc5hnjelbmrha7seucksy7b67eiypxx4b4sb64q._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
207b17cfef7a24b2c2d48f9821a9b4a82caa00fd8157d70072c999f8ac7f7489
AgentTesla
2bff7918842a32e19021595f3276402ff1e1034130ed6dfbf4f3f11dda06a52d
AgentTesla
329fe39db0fd030030088f642763f27fee4d2bb7ec1521d69ea4c89e9e429c25
AgentTesla
3813d5fe541f008c96f3a0f367113a1fa3c047f08815fcd8335c4b829523ca28
AgentTesla
451381760beee5124df9d6fe4d2a447dfcb420473800e9004d86159a0396547f
AgentTesla
66b2e6775e993ebd19ea3b99a092184cd0ab3b751579029a66ceb6eb8b350e28
AgentTesla
71e8044a55f0f599c6b0d3e19981fa6c6eda849f7041b9b86d71ec9287af060e
AgentTesla
b36448538d1e8029314a7998ce8eca1ca7af53b9ad36fd162783830e7b0e3071
AgentTesla
c473dd43fbd7499116a64e44cd33b44776b5fd272845f53ce7a023bb75a4caae
AgentTesla
d90b203b874a7965f1695c39812eac80201b531d2e5b108b518919d0331a6b08
AgentTesla
+ 10'811 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211006-kywhjaahb3/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
12c5a89c643a6f52db4c720fae7a824da7eaad466670053c6c14f0f665e27abd
MD5 hash:
3eb64910917f6081a25dfe5fac87d70f
SHA1 hash:
8a589f4907d92bbc2e6fcce0bbd726f46921b710
Link:
https://www.unpac.me/results/f9f354a5-5646-49b8-a4d7-16bc1d3f35ad/
SH256 hash:
a99f7047a99c7cc4a1675ea024d7c2b9d93f96957e4e60ae458e0defc5d5d231
MD5 hash:
b6a417200bf85835c918f48c606abc52
SHA1 hash:
609ff4a15480c0ab44fb3aca53adcd088e77dc0c
Link:
https://www.unpac.me/results/f9f354a5-5646-49b8-a4d7-16bc1d3f35ad/
SH256 hash:
fe8637d821a39a8b74abce7e043007d38cb9c5cfcb7098af9846cfd98185ac03
MD5 hash:
c380b6831f456ac5cac08c78c0e4dada
SHA1 hash:
3e241a0b9d96c1dfbadd7ee1a8c5ee6d74eba11c
Link:
https://www.unpac.me/results/f9f354a5-5646-49b8-a4d7-16bc1d3f35ad/
SH256 hash:
a0940b4fc077c18fe05d3b52458591383f22504a963e1f7c88c3ef7e07920fb9
MD5 hash:
5e58e1e3a97f41b316b0c6f741437957
SHA1 hash:
2e9fa30dd3747fece7ee3d90d20dc7dcad5bd8eb
Link:
https://www.unpac.me/results/f9f354a5-5646-49b8-a4d7-16bc1d3f35ad/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a0940b4fc077/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0940b4fc077c18fe05d3b52458591383f22504a963e1f7c88c3ef7e07920fb9

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a0940b4fc077c18fe05d3b52458591383f22504a963e1f7c88c3ef7e07920fb9

(this sample)

  
Delivery method
Distributed via web download
  
URLhaus
https://urlhaus.abuse.ch/url/1657309/
Cape
Cape
https://www.capesandbox.com/analysis/195371/

Comments


Avatar
zbet commented on 2021-10-06 09:00:30 UTC

url : hxxp://xleetaz.xyz/timberland/palingo.exe