MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 12


Intelligence 12 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4
SHA3-384 hash: b1bcf05e5dff37702794df82f93d7a5e5163e6ff78766a706196d99e87e17ae66747fd48df158cf256ad2310316e659e
SHA1 hash: a33dc28496122496066811e70fb50688d59e6cbb
MD5 hash: 1cf91be151c8b29aa4ddfd3151ae09ee
humanhash: equal-equal-sweet-nineteen
File name:1cf91be151c8b29aa4ddfd3151ae09ee.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'738'720 bytes
First seen:2021-02-15 08:05:20 UTC
Last seen:2021-02-15 09:54:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 6144:Ucm7ZEAryIJ5TFwOxQD65iPkRBbSiCHf4LxT3HKXPYGChncpXRVNpD3TWS/c6:D/c6
Threatray 2'649 similar samples on MalwareBazaar
TLSH FB85A3374F4F5A04F7E3A6D326817A7A2D132AD8A25195F9388127C1E33321D6CD5E8E
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
AgentTesla SMTP exfil server:
frostdell.uk:587

Intelligence

File Origin
# of uploads :
2
# of downloads :
122
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
1cf91be151c8b29aa4ddfd3151ae09ee.exe
Verdict:
Malicious activity
Analysis date:
2021-02-15 08:09:07 UTC
Tags:
rat agenttesla trojan
Link:
https://app.any.run/tasks/d3d05aac-05c2-4701-bc62-f585546cc375

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117160/
Detection(s):
SecuriteInfo.com.Artemis1CF91BE151C8.17582.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Unauthorized injection to a recently created process
Sending a UDP request
Creating a window
Creating a file
Using the Windows Management Instrumentation requests
Changing the hosts file
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/607875
Signature
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Found malware configuration
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for sample
Modifies the hosts file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4/
Threat name:
ByteCode-MSIL.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-02-15 08:06:07 UTC
AV detection:
8 of 46 (17.39%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ucu4pqvuhclvopx46q7hlyftnytlw7hreylzczzoo76xncfkvdca._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
39f32ed0f76d63794bcaa528441a491c132a7c110deace155bd314566a09c90c
AgentTesla
420b0a14b0d994f9c1e2ee75a3bba5063f558a4bfbf22f8967c57de61912eff5
AgentTesla
8095f23a25042bf761d123fc385093ff150114b0e3bad6a8bd9244791e0aa00f
AgentTesla
8d10af8f247bb74f1a3d0878785f3afa173c82d4c881f29dd5b60ea6ed5f6b90
AgentTesla
9d18ad4fbe206d2bb0bbeb71355fac7414c8b3f32a7faf24806e8b657e517cd4
AgentTesla
b4a054c8b3781f276e07502c5cfd4064e2c0713f028ea5d94e0e4ed810036f01
AgentTesla
b8b373ce2f5835b617f904b50e5e594232982967ea1a12b35bd085c83aa057bb
AgentTesla
d9f9b4cbf097f8f9e145b547f0725217016f5cdacbdf61e108f9e84981ce76f8
AgentTesla
e838818dca05da30d6307e7d6b0a724ff63c81bf7391e085d6ff60ff2320d03b
AgentTesla
fb74843103876ff17cf532aec1bd261d3ae47fa10d3ccefcaef62e13b29600d3
AgentTesla
+ 2'639 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210215-xl4gace17a/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Drops file in Drivers directory
AgentTesla
Unpacked files
SH256 hash:
525fc6af5d5b7b9a9d841ff16a87bace3b2f2e9426c81739f93b30726d6a85f7
MD5 hash:
f3fbc5c1a4dc2a663c316c6e5c867822
SHA1 hash:
c2a11bd14c34ae7eecd31da86cc86ab40dbc3f9d
Link:
https://www.unpac.me/results/19a5db69-fcd3-4b0b-80db-67cb7270ce3e/
SH256 hash:
30f995d6aadd9b564000a1459146620852375f8749780408a4b8d402c0962861
MD5 hash:
c6f275ed4b250368983e20b0e6e2e45d
SHA1 hash:
6194eb5df0d897914de162e9b4165cebf6574a00
Link:
https://www.unpac.me/results/19a5db69-fcd3-4b0b-80db-67cb7270ce3e/
SH256 hash:
a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4
MD5 hash:
1cf91be151c8b29aa4ddfd3151ae09ee
SHA1 hash:
a33dc28496122496066811e70fb50688d59e6cbb
Link:
https://www.unpac.me/results/19a5db69-fcd3-4b0b-80db-67cb7270ce3e/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

AgentTesla

Executable exe a0a9c7c2b43897573efcf43e75e0b36e26bb7cf1261791672e77fd7688aaa8c4

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/978556/
  
Delivery method
Distributed via web download
Cape
Cape
https://www.capesandbox.com/analysis/117160/

Comments