MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a4f5d50066dec8990f99e1b9dd6d9106204b5d064b9aa9c8e5578820dee27947. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: a4f5d50066dec8990f99e1b9dd6d9106204b5d064b9aa9c8e5578820dee27947
SHA3-384 hash: 55719a7142a0553f650a175521bb703ed29c9e28fda2ac087770162fdfe67bbed6f3af68276bd37cf7074cc0fc94f478
SHA1 hash: b36cbbca5e6fb248724432aa8cf567ac689d8039
MD5 hash: cad9033104ac746697b1ac391dc5bc0a
humanhash: july-utah-magnesium-blue
File name:SCAN PO TY5676879809_xls.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:521'728 bytes
First seen:2020-10-15 05:08:49 UTC
Last seen:2020-10-16 21:12:57 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'599 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 12288:oewSNg6NUmxh3KtDyahRwmdYnX0Z17WT+j7X/:7g6NHxh6t+ahRVdcX0Zh
TLSH 1CB46D7C8DD8523B95BFE276C0B49AE3F911794731409C0F669B9A870E63B232C89C5D
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
89
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/71184/
Detection(s):
Sanesecurity.Malware.25544.7zHeur.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Launching a process
Creating a file
Creating a window
Using the Windows Management Instrumentation requests
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/491967
Signature
.NET source code contains very large array initializations
Adds a directory exclusion to Windows Defender
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Creates an undocumented autostart registry key
Found malware configuration
Injects a PE file into a foreign processes
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 298429 Sample: SCAN PO TY5676879809_xls.exe Startdate: 15/10/2020 Architecture: WINDOWS Score: 100 31 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->31 33 Found malware configuration 2->33 35 Antivirus detection for dropped file 2->35 37 9 other signatures 2->37 7 SCAN PO TY5676879809_xls.exe 4 2->7         started        process3 file4 23 C:\Users\user\AppData\Roaming\...\vhghjlc.exe, PE32 7->23 dropped 25 C:\Users\user\...\vhghjlc.exe:Zone.Identifier, ASCII 7->25 dropped 27 C:\Users\...\SCAN PO TY5676879809_xls.exe.log, ASCII 7->27 dropped 39 Creates an undocumented autostart registry key 7->39 41 Adds a directory exclusion to Windows Defender 7->41 43 Injects a PE file into a foreign processes 7->43 11 SCAN PO TY5676879809_xls.exe 6 7->11         started        15 powershell.exe 22 7->15         started        17 SCAN PO TY5676879809_xls.exe 7->17         started        19 SCAN PO TY5676879809_xls.exe 7->19         started        signatures5 process6 dnsIp7 29 mail.yaselforklift.com 93.89.20.41, 49769, 49770, 587 MEDYABIM-ASTR Turkey 11->29 45 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 11->45 47 Tries to steal Mail credentials (via file access) 11->47 49 Tries to harvest and steal ftp login credentials 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 21 conhost.exe 15->21         started        signatures8 process9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/a4f5d50066dec8990f99e1b9dd6d9106204b5d064b9aa9c8e5578820dee27947/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-10-15 01:21:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
7
AV detection:
25 of 29 (86.21%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ut25kadg33ejsd4z4g4523mrayqewxigjonktshfk6ecbxxcpfdq._file
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201015-3ym9m2qmmj/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
AgentTesla
Unpacked files
SH256 hash:
a4f5d50066dec8990f99e1b9dd6d9106204b5d064b9aa9c8e5578820dee27947
MD5 hash:
cad9033104ac746697b1ac391dc5bc0a
SHA1 hash:
b36cbbca5e6fb248724432aa8cf567ac689d8039
Link:
https://www.unpac.me/results/836d9897-587b-45cc-aab9-b43b5e20a7d7/
SH256 hash:
7c948c476871ea28e441845f516de6aa12f198f8389ceed1e65cc1fef396cb22
MD5 hash:
8b86e0eaaf6e636174f7ecc122419708
SHA1 hash:
802d7d9570d6cf96a7643f4dccc25ee75ac78863
Link:
https://www.unpac.me/results/836d9897-587b-45cc-aab9-b43b5e20a7d7/
SH256 hash:
9dc2d9452430f912c04d92e71c1f7292300fb6b39c2807fe170371532b33914b
MD5 hash:
cf9578f9d244a7cf0c4fe639cfad6004
SHA1 hash:
0d29bc26189777227c9d472f1463011d57456e05
Link:
https://www.unpac.me/results/836d9897-587b-45cc-aab9-b43b5e20a7d7/
SH256 hash:
165b6353a27653c087637f372f70713e4e0af658e87f03ba0703d8b975525243
MD5 hash:
112730ad698bcb62cfb8c64c4862640a
SHA1 hash:
6b42b1f3f372785c40b4f80c35d6aa2e0d012429
Link:
https://www.unpac.me/results/836d9897-587b-45cc-aab9-b43b5e20a7d7/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/a4f5d50066dec8990f99e1b9dd6d9106204b5d064b9aa9c8e5578820dee27947

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip fec03020a1c037817aff8b8e9d48c410c2b87e7a852fdb7d60b519db9ec5d7bc

AgentTesla

Executable exe a4f5d50066dec8990f99e1b9dd6d9106204b5d064b9aa9c8e5578820dee27947

(this sample)

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/71184/
  
Dropped by
SHA256 fec03020a1c037817aff8b8e9d48c410c2b87e7a852fdb7d60b519db9ec5d7bc

Comments