MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 11

Intelligence 11 IOCs YARA 3 File information Comments

SHA256 hash:	a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041
SHA3-384 hash:	ae36d8a64e205b1774853e0cc87b5f404685a3a1511cfbd7f5d75efb1cfdcf7d11b6f2ac311090b0691214d9776b7f27
SHA1 hash:	0842da4cf14dadbf2fcebbfd4a61c7af9b23aac4
MD5 hash:	9ab60d370eef90e85f8d45de268a9584
humanhash:	mango-lima-music-robert
File name:	Sample Drawing.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	684'544 bytes
First seen:	2021-03-03 07:39:48 UTC
Last seen:	2021-03-03 09:38:54 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	12288:1wrlpFvL6VVHH8v67rt3+hz5JjhkzoCLOvV9E267:mYrHBfs1hMoC2kH
TLSH	07E427E422AE512FD033F6B9BB84941CC6D566113E07E79ADA8059CF49D2E31DF809E3
Reporter	abuse_ch
Tags:	AgentTesla exe

abuse_ch

Malspam distributing unidentified malware:

HELO: dcmomail3.c.emirates.net.ae
Sending IP: 86.96.229.236
From: MUBARRAZ OILFIELD IN (muboins) <muboins@emirates.net.ae>
Subject: Re: New Sample Drawings/Order Sheet_03/03/2021
Attachment: Sample Drawing.z (contains "Sample Drawing.exe")

Intelligence

File Origin

# of uploads :

# of downloads :

130

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

Sample Drawing.exe

Verdict:

Suspicious activity

Analysis date:

2021-03-03 07:57:51 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/77236a7c-2059-4c27-9be6-b1a000e09aa7

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/121277/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.19329.5210.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a UDP request

Creating a file in the %AppData% directory

Creating a file in the %temp% directory

Launching a process

Creating a process with a hidden window

Deleting a recently created file

Creating a file

Enabling autorun by creating a file

Unauthorized injection to a system process

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/625654

Signature

.NET source code contains potential unpacker

.NET source code contains very large strings

Allocates memory in foreign processes

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Scheduled temp file as task from temp location

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected AgentTesla

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2021-03-03 07:29:49 UTC

AV detection:

12 of 47 (25.53%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=ucomih6fy2eo5dlftitmpjiniisrhoh4nildnlqjdikxfbk2kbaq._file

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210303-384k4rpma2/

Behaviour

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

4695287ebd3a73f7b85a2d362608fa9fdedc5e41b00685674c5d25d42bd7de53

MD5 hash:

cab55ef4f39291aa924ebf0dd00775c3

SHA1 hash:

ef58088f7a7ef7236e39af3b03e88198681d8099

Link:

https://www.unpac.me/results/1c8db302-ac14-4aa9-8e4b-c85e0f49d2f0/

SH256 hash:

f8b5b51efedb3e87493ac2439473564603cc3059d57956f209a7310e311a1027

MD5 hash:

d66f89bf838fb52ed59d311a99aea214

SHA1 hash:

342525c4aabbb92abf51459081d34ed0f1cdc965

Link:

https://www.unpac.me/results/1c8db302-ac14-4aa9-8e4b-c85e0f49d2f0/

SH256 hash:

53bd2be4be7b43d890308dafbfd641f1d603721079ff9cf380e5c139b3cfb525

MD5 hash:

90a402f3db6200d47951d83723c88ada

SHA1 hash:

072347985255468c065c7374e1822005407d1841

Link:

https://www.unpac.me/results/1c8db302-ac14-4aa9-8e4b-c85e0f49d2f0/

SH256 hash:

a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041

MD5 hash:

9ab60d370eef90e85f8d45de268a9584

SHA1 hash:

0842da4cf14dadbf2fcebbfd4a61c7af9b23aac4

Link:

https://www.unpac.me/results/1c8db302-ac14-4aa9-8e4b-c85e0f49d2f0/

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	MALWARE_Win_AgentTeslaV3 Create hunting rule
Author:	ditekSHen
Description:	AgentTeslaV3 infostealer payload

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

z 33e2ea1fadcbf7621223a0db53959b54977c6ae19ebf5168a2f6765d2d36bd4d

AgentTesla

exe a09cc41fc5c688ee8d659a26c7a50d422513b8fc6a1636ae091a1572855a5041

(this sample)

Dropped by

MD5 b852d8c38135bea84f79def82264d5a2

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/121277/

Dropped by

SHA256 33e2ea1fadcbf7621223a0db53959b54977c6ae19ebf5168a2f6765d2d36bd4d

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample