MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a0dff0bf5eb951b2371c5ccdd3d5787c12990fd50a4fe5092d3e6d1286fec8e6. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a0dff0bf5eb951b2371c5ccdd3d5787c12990fd50a4fe5092d3e6d1286fec8e6
SHA3-384 hash: d9bb42ad5c91311698794eeba35c5103645a10a2c0806ee0802b1a8a580ac9a0aa1b3e7a68f539dfab1e9909deefe384
SHA1 hash: 4abe0e9233e2f7627aeeb376ef45ae627fc8a7cd
MD5 hash: a13262e6dbe5b6877cfb2a796664a5e6
humanhash: don-red-wisconsin-edward
File name:MV HOLLY PIONEER.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:872'448 bytes
First seen:2021-05-05 09:36:40 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'665 x AgentTesla, 19'478 x Formbook, 12'208 x SnakeKeylogger)
ssdeep 12288:h1fxhwL8mLAHefRIZtbVqrTwqEZmeGU1hLE4CZS3T1w:DZyJAH/ZtxqEZj1ZdC8D1
Threatray 4'652 similar samples on MalwareBazaar
TLSH 5D059D1477B89BD7C29F03B9E199221167F5D006A39BBB8B694CFAF53D6339089011E3
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
87
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/150232/
Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
DNS request
Sending an HTTP GET request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/711759
Signature
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Found malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 404803 Sample: MV HOLLY PIONEER.exe Startdate: 05/05/2021 Architecture: WINDOWS Score: 100 40 Found malware configuration 2->40 42 Multi AV Scanner detection for dropped file 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 9 other signatures 2->46 8 MV HOLLY PIONEER.exe 18 8 2->8         started        process3 file4 30 C:\Users\user\...\MV HOLLY PIONEER.exe, PE32 8->30 dropped 32 C:\Users\user\AppData\Local\...\zSnucxvcj.vbs, ASCII 8->32 dropped 34 C:\...\MV HOLLY PIONEER.exe:Zone.Identifier, ASCII 8->34 dropped 36 2 other files (1 malicious) 8->36 dropped 48 Writes to foreign memory regions 8->48 50 Injects a PE file into a foreign processes 8->50 12 wscript.exe 1 8->12         started        15 AdvancedRun.exe 1 8->15         started        18 AdvancedRun.exe 1 8->18         started        20 MV HOLLY PIONEER.exe 2 8->20         started        signatures5 process6 dnsIp7 52 Wscript starts Powershell (via cmd or directly) 12->52 54 Adds a directory exclusion to Windows Defender 12->54 22 powershell.exe 12->22         started        38 192.168.2.1 unknown unknown 15->38 24 AdvancedRun.exe 15->24         started        26 AdvancedRun.exe 18->26         started        signatures8 process9 process10 28 conhost.exe 22->28         started       
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/a0dff0bf5eb951b2371c5ccdd3d5787c12990fd50a4fe5092d3e6d1286fec8e6/
Threat name:
Win32.Trojan.Generic
Create hunting rule
Status:
Suspicious
First seen:
2021-05-05 02:45:10 UTC
AV detection:
5 of 47 (10.64%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=udp7bp26xfi3eny4ltg5hvlypqjjsd6vbjh6kcjnhzwrfbx6zdta._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
126f752c7dec6c513804a0737e5d0a03cd8a1082923d68aec35979f3a7db7d60
AgentTesla
174d9ba2e89f897d84a612d59117d349773c91f129aa8cdb8ad8a29d576fa8af
AgentTesla
321b6f97457bc64a7fa264043d5f7ce3b6dc1ddd735daf77820580b2f7ff7a93
AgentTesla
337a895245dcdbe522c4320dbe1dfd62e346aecad8246f9b895a5460211865b0
AgentTesla
360dc7aa2889b1ed05b553eccab73348de2fae89cd7742e64422712298b670ca
AgentTesla
5242c4552e512707dbeb3b004cb441cc140b6cfe813a4d6532f4adec03bcb23c
AgentTesla
6386ca320b232134dbaef39b9be7bb88dec4dd72633f215fb91c543da2e36ffb
AgentTesla
6721200d1e880c83cf3c4ee07db918abca886251cd59a10c10b515eaf026bbbc
AgentTesla
d94cad3bda5709a80fa3ec8440f5bf135b17dcb7f364e1cbfbf003402f74edc3
AgentTesla
dea2e88e71d3b38500aca694a9ba1f476d8db14e5389a2cf70b23cad51eb33c9
AgentTesla
+ 4'642 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210505-ss65vghrx6/
Behaviour
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Loads dropped DLL
Executes dropped EXE
AgentTesla Payload
Nirsoft
AgentTesla
Unpacked files
SH256 hash:
34bbea772d6bc2ffb6ff879346cf025379e6b65a7e76dcb94dbe61dc588ba9fa
MD5 hash:
a12bff5e88ef00d440dc169760b797d5
SHA1 hash:
fd4f32f1a3c5f9efc34ed101661f732cfac814b0
Link:
https://www.unpac.me/results/85c5e18b-a1d8-445e-a0a2-9fe6de826b37/
SH256 hash:
710d75ec9d64809ff0c99ef6357686ebca1ea932390e5cd9fa6d3bb19c161b10
MD5 hash:
d8dd81ae4055385be2bc492f308f54b9
SHA1 hash:
ae6640b5d329354690a45f5238ba37738a47e858
Link:
https://www.unpac.me/results/85c5e18b-a1d8-445e-a0a2-9fe6de826b37/
SH256 hash:
722fd4cc7014c099705223b4b7766d071bd03aacb0d7fd1443d4a16e52a32d77
MD5 hash:
db84e408727f5cd561efbf22098e104b
SHA1 hash:
81d04d6a6717e24d626ab19b901e4a09eb26ceaa
Link:
https://www.unpac.me/results/85c5e18b-a1d8-445e-a0a2-9fe6de826b37/
SH256 hash:
7088f076e2fde23496e38ee3ed7f54da4e9311ff4c2f47b95f6d3af076f76117
MD5 hash:
2a723164e592661d7fc8e1bb51572626
SHA1 hash:
1efc53fcd02c23f9c4ad0b9dc5be313eefa64180
Link:
https://www.unpac.me/results/85c5e18b-a1d8-445e-a0a2-9fe6de826b37/
SH256 hash:
a0dff0bf5eb951b2371c5ccdd3d5787c12990fd50a4fe5092d3e6d1286fec8e6
MD5 hash:
a13262e6dbe5b6877cfb2a796664a5e6
SHA1 hash:
4abe0e9233e2f7627aeeb376ef45ae627fc8a7cd
Link:
https://www.unpac.me/results/85c5e18b-a1d8-445e-a0a2-9fe6de826b37/
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Ping_Del_method_bin_mem
Create hunting rule
Author:James_inthe_box
Description:cmd ping IP nul del

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/150232/

Comments