MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0c82e56e24195d6483cb479c94d3f87a4811102ee44c2b9777968700d7d84a8. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0c82e56e24195d6483cb479c94d3f87a4811102ee44c2b9777968700d7d84a8
SHA3-384 hash: ad217f43d94b48aee39365744ad6fc935e3321d5b6a29858ae01b008f9d04949c7eda15b9f92771a12ab5032292b27ad
SHA1 hash: 6fa3ea0803849370a555b6f15041e5268170a1f2
MD5 hash: 4cb9ec10e007ea4d18873c5265be0af5
humanhash: virginia-maryland-uniform-florida
File name:DHL_document11022020680908911.doc.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:2'423'296 bytes
First seen:2021-05-06 05:16:50 UTC
Last seen:2021-05-06 06:03:12 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 1536:f6fpzR46+aJFU/588i4Uo8mCG2WUALaXRZy5Sw0AQ8X1xKQHyYBrk+ycIpbfZ4Z5:x
Threatray 4'531 similar samples on MalwareBazaar
TLSH A2B522466B7F26ACA91AB4D0DAC1C00CDBDBEAF05776D59F066A1003C7578642B7CB32
Reporter cocaman
Tags:AgentTesla DHL exe

Intelligence

File Origin
# of uploads :
3
# of downloads :
90
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/151283/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.703.18963.14048.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
DNS request
Sending a UDP request
Running batch commands
Creating a process with a hidden window
Launching a process
Unauthorized injection to a recently created process
Adding an access-denied ACE
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/713134
Signature
.NET source code contains very large array initializations
Found malware configuration
Hides threads from debuggers
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Suspicious Double Extension
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0c82e56e24195d6483cb479c94d3f87a4811102ee44c2b9777968700d7d84a8/
Threat name:
ByteCode-MSIL.Packed.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-05 06:02:23 UTC
File Type:
PE (.Net Exe)
Extracted files:
1
AV detection:
21 of 29 (72.41%)
Threat level:
  1/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=udec4vxcigk5msb4wr44stj7q6siceic5zcmfolxpfuhadl5qsua._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
04c9ccc533b33d9eaa98a4f82f32bcd142c1228492d195ab5335c094643b7a7c
AgentTesla
0df50fffae1f82940ba8ac5af3ea2d3f1a2d79b830ebf7e441ff5e25cc254189
AgentTesla
1a1641715331329ed3983daded2b15f018debd62069b42fa2087ca921d3a54a0
AgentTesla
52b98cca3167f7f97a7ae7729aeddee0b2280a18841d692697bd6dea415f3abe
AgentTesla
6906010d796861631e527431fc9ecea28a277307ab374a9641bf716856535b69
AgentTesla
755fede7240f600d66e808cfdc6e6cffaed4405eb07d139d632e4e8319929bce
AgentTesla
b51842033a6ed385e07f4de9093412e410f50da878e761de8725c184f2327ec1
AgentTesla
b6c4befa1899e59c6792b871342800705a2f630ee72a04ed2b1c9c5cb69b40e5
AgentTesla
d640fecc809699b292165546e461882128097d0de86e8847fb83110b2e8a9a4f
AgentTesla
ebb89d7d2ba96d368ef3e3f296ba7ff2e591489e7726a0613c89764b7f654390
AgentTesla
+ 4'521 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210506-x1hxf1q93x/
Behaviour
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
bbe82d865c4911903564ed7f268170319588725c9737c6e33f5c3b7531bb1e3c
MD5 hash:
8c232d900f0436901dc09a77c71526b5
SHA1 hash:
f5e1399a5524bd9726169957bddc09a0f8f2f8ba
Link:
https://www.unpac.me/results/85121947-624e-4a8d-8657-30ad58ce5513/
SH256 hash:
630dccf21934e1948476dadc7e2454efa75edcc1623d50c54f35077c6c7b541b
MD5 hash:
caaa09899f75867df07328601ee08b66
SHA1 hash:
bc8b8d8d612ccb2e85bf72817272125718531f37
Link:
https://www.unpac.me/results/85121947-624e-4a8d-8657-30ad58ce5513/
SH256 hash:
a0c82e56e24195d6483cb479c94d3f87a4811102ee44c2b9777968700d7d84a8
MD5 hash:
4cb9ec10e007ea4d18873c5265be0af5
SHA1 hash:
6fa3ea0803849370a555b6f15041e5268170a1f2
Link:
https://www.unpac.me/results/85121947-624e-4a8d-8657-30ad58ce5513/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
AgentTesla
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a0c82e56e24195d6483cb479c94d3f87a4811102ee44c2b9777968700d7d84a8

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ac565d2abad42c40e8f622677fd68246d28aeb39a3c1c2c24caa2853b7f7b5af

AgentTesla

Executable exe a0c82e56e24195d6483cb479c94d3f87a4811102ee44c2b9777968700d7d84a8

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 ac565d2abad42c40e8f622677fd68246d28aeb39a3c1c2c24caa2853b7f7b5af
Cape
Cape
https://www.capesandbox.com/analysis/151283/

Comments