MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0dd30e967f6e54362d05f31a9b364822f11a525db6faafdd62f76123176b42f. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 13


Intelligence 13 IOCs YARA 4 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0dd30e967f6e54362d05f31a9b364822f11a525db6faafdd62f76123176b42f
SHA3-384 hash: ff316ea7d3c9a7fbe00be4e3a2e2ebe8e7136b6955cea204c51ede9b3da3dec955e381c3bb9167b720fee0f4a908c2bc
SHA1 hash: 7c05a90cdeb98533d38e8c8666ab0d6992f22522
MD5 hash: 12f5435e648775512227bd194a2f3791
humanhash: moon-cardinal-high-failed
File name:Payment Copy.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:1'432'064 bytes
First seen:2021-12-06 13:18:30 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 24576:VSplLigqONxaD/RpsTEdAdeshzSb2QslOyyQ8P9+RyCbjbDp:0lLi+oD/RpMEdA7g+c6bjb1
Threatray 13'288 similar samples on MalwareBazaar
TLSH T1EC657B5C317025AFE83A853145541F379EF12C7E966B53CE730734AB8ABE5828F242E9
File icon (PE):PE icon
dhash icon 86e8c0c8ccd89ce6 (18 x AgentTesla, 18 x Formbook, 8 x Loki)
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
162
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Payment Copy.exe
Verdict:
Suspicious activity
Analysis date:
2021-12-06 22:51:03 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/2ca4c03c-7428-42c7-9959-e7fe53db7682

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/211792/
Detection(s):
SecuriteInfo.com.PWS-FCUF12F5435E6487.27680.17708.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
DNS request
Sending a custom TCP request
Сreating synchronization primitives
Launching a process
Creating a process with a hidden window
Using the Windows Management Instrumentation requests
Unauthorized injection to a recently created process
Creating a file
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
obfuscated packed
Link:
https://www.filescan.io/uploads/61ae0dcafa72c81b5b0e6a3b/reports/40d07b94-5735-4615-bf99-cbf483b72a85/overview
Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/25943503-49e5-4090-8a8c-23eb5471e57e
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/902282
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
PE file contains section with special chars
PE file has nameless sections
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Defender Exclusion
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0dd30e967f6e54362d05f31a9b364822f11a525db6faafdd62f76123176b42f/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2021-12-06 13:19:19 UTC
File Type:
PE (.Net Exe)
Extracted files:
22
AV detection:
23 of 28 (82.14%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udotb2lh63sugywql4y2tm3eqixrdjjf3nx2v7owf53bemlwwqxq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
00d41d97a84f12b8dba8bca50931375381a4a1233587c6ddc730fbc9d53844c1
AgentTesla
1751dbf21c3326cb823498ed2d48b65f2a0f27282570061d05030c401b06c916
AgentTesla
4da9cdaabab199c810cad207fe4dd792068eb0993f3a26a73c0a9bfb19f9831c
AgentTesla
8118d5421d1bdee0f409f02e03d2f71e4294c522797c0e8a3920b2f585060ef2
AgentTesla
928fb7b546c7c4a811df10c1d98da7cf6ca781f8f923accb37f4d5d7af52f10d
AgentTesla
ac5866f614b823da9be6ee38aabad18d3c4ccac441ff22c833d6c0957f72ba8b
AgentTesla
ea4be7937b43bb991dc11f499c00a3774e362a3436b2402afa57cf5affd949a7
AgentTesla
+ 13'278 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla collection evasion keylogger spyware stealer trojan
Link:
https://tria.ge/reports/211206-qkhx6sebbj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Enumerates physical storage devices
Suspicious use of SetThreadContext
Accesses Microsoft Outlook profiles
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
AgentTesla Payload
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
1eba3e6e55f4aa87ee88dad11183f808f00870bf6277e3ae19fb31400a1dbe5b
MD5 hash:
00b620728472aef2af115e0455930cf8
SHA1 hash:
649a4ad0f13a3176ea36b855c1b36fbce246446a
Link:
https://www.unpac.me/results/bfc1756b-f181-4507-a563-5f4d5b9bd9db/
SH256 hash:
29c47d0d43d5a7a8c31bfa5a5a22f7d3d33353c48eda3c0fac19a83a5d1c4f07
MD5 hash:
9f55520c862c38a279b146d5a8c4fdc6
SHA1 hash:
5a8639f6ab65f720a86e2e46df7e7c675c15ccfa
Link:
https://www.unpac.me/results/bfc1756b-f181-4507-a563-5f4d5b9bd9db/
SH256 hash:
4f54b580bfe9d942db74f32d9c4220b6a9daf391578093c685a8cb5393e2e1ac
MD5 hash:
0537765b2f36a96af3dcc4d5d1bb9992
SHA1 hash:
44cc498524253b03b50e90afd2cb54505d52d725
Link:
https://www.unpac.me/results/bfc1756b-f181-4507-a563-5f4d5b9bd9db/
SH256 hash:
a0dd30e967f6e54362d05f31a9b364822f11a525db6faafdd62f76123176b42f
MD5 hash:
12f5435e648775512227bd194a2f3791
SHA1 hash:
7c05a90cdeb98533d38e8c8666ab0d6992f22522
Link:
https://www.unpac.me/results/bfc1756b-f181-4507-a563-5f4d5b9bd9db/
Malware family:
Agent Tesla v3
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/a0dd30e967f6/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.35
Link:
https://yomi.yoroi.company/submissions/a0dd30e967f6e54362d05f31a9b364822f11a525db6faafdd62f76123176b42f

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFuture
Create hunting rule
Author:ditekSHen
Description:Detect executables with stomped PE compilation timestamp that is greater than local current time
Rule name:pe_imphash
Create hunting rule
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe a0dd30e967f6e54362d05f31a9b364822f11a525db6faafdd62f76123176b42f

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/211792/

Comments