MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 12

Intelligence 12 IOCs YARA File information Comments

SHA256 hash:	a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183
SHA3-384 hash:	c20a56b9dea62d5303e43aca2535ee09f9d9f63cf190b4eedb8ef0d6c06e40f71f3d0a033db9f3d0133b7852570a79bd
SHA1 hash:	b84102eb344cbbefc25fd30f243945a1b538c696
MD5 hash:	7a01b7413325d444692f57f15292bced
humanhash:	lithium-lemon-west-leopard
File name:	PDA_pdf.scr
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	1'169'925 bytes
First seen:	2021-09-06 05:13:40 UTC
Last seen:	2021-09-09 10:03:14 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	fcf1390e9ce472c7270447fc5c61a0c1 (863 x DCRat, 118 x NanoCore, 94 x njrat)
ssdeep	24576:qAOcZuXPoismzMCq3XeV8xC3syz0IwTq3XFQYcqa6lCKjDwo5:Q998b1TWX6Kteo5
Threatray	10'469 similar samples on MalwareBazaar
TLSH	T131451201F6C674B2F17179F11A256688297D3D106D24CB3EA3B134AD8A35383DDA1BBE
dhash icon	37712b134b091529 (2 x AgentTesla, 1 x AveMariaRAT, 1 x MassLogger)
Reporter	fabjer
Tags:	AgentTesla exe scr

Intelligence

File Origin

# of uploads :

# of downloads :

173

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

PDA_pdf.scr

Verdict:

Suspicious activity

Analysis date:

2021-09-06 05:15:57 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/05d9d915-ff84-420a-b3c1-8b2641e6755f

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

AgentTeslaV3

Link:

https://www.capesandbox.com/analysis/185503/

Detection(s):

Win.Malware.Lisk-9884866-0

Win.Malware.Lisk-9886225-0

Win.Malware.Lisk-9886839-0

Win.Malware.Lisk-9886840-0

Win.Malware.Lisk-9890448-0

Win.Dropper.Lisk-9890449-0

SecuriteInfo.com.Gen.Variant.Johnnie.221809.751.14920.UNOFFICIAL

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a window

Searching for the window

Creating a file

Enabling the 'hidden' option for recently created files

Creating a process from a recently created file

Sending a UDP request

Launching a process

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/53cb2509-a111-4dc8-bc16-924246da3d54

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/845698

Signature

.NET source code contains very large array initializations

Allocates memory in foreign processes

Drops PE files with a suspicious file extension

Found malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Multi AV Scanner detection for dropped file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Writes to foreign memory regions

Yara detected AgentTesla

Yara detected AntiVM autoit script

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183/

Threat name:

Win32.Trojan.Sabsik

Status:

Malicious

First seen:

2021-09-06 03:39:03 UTC

AV detection:

19 of 38 (50.00%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=vfzhq5ildsbttnx4oyaugs3tgf2oybowxvo33zckfkmmu2kr6gbq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

3afedea501a9bca64d1d400f5e3aa79e1f0d359a035d84569c123d49458425f2

AgentTesla

5c5e4e31bde29168e03fa8cce36bab9b577568137edab59f68f8968616546ed9

AgentTesla

65d246d802665601ae63bd52d49d3208bdad035aa193378fc349df3ed0777a44

AgentTesla

80d596a7fa52a5d9b41243e03a88ba0ca560cc95219a38d764947a75f568bea1

AgentTesla

b9b61268d1a21a119391e6316826c44425aec53a42155a7253f62639876eb687

AgentTesla

bee17c10f6ae2b3d19cc7cdd1e54f11a9aac44cda0b5d6f41c0dbdce69b79ad5

AgentTesla

c8c67b9895ec2b463cc43a5c9c1e32363ff1a7a061c99d01dd3de5691e9d1d47

AgentTesla

ccca82e76f5e7fae5c3bcf6a5ff542f95ad241e2c47a00c969ddbf2f50beda25

AgentTesla

+ 10'459 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210906-fw1bgsabc9/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Enumerates physical storage devices

Suspicious use of SetThreadContext

Loads dropped DLL

Executes dropped EXE

AgentTesla Payload

AgentTesla

Unpacked files

SH256 hash:

62bbd3457129c038425f73aea95495c6db139437412c1a0308b7224efe83fd3a

MD5 hash:

27dab92b44715a4a33c7c5f10860dcf7

SHA1 hash:

18bd884ea85a4201a19b4b6978a59ca04316b61c

Link:

https://www.unpac.me/results/9b07ad60-df86-4eb4-83b0-d1734ddbbac2/

SH256 hash:

a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183

MD5 hash:

7a01b7413325d444692f57f15292bced

SHA1 hash:

b84102eb344cbbefc25fd30f243945a1b538c696

Link:

https://www.unpac.me/results/9b07ad60-df86-4eb4-83b0-d1734ddbbac2/

Malware family:

Agent Tesla v3

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/a97278750b1c/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

unknown 25af4fb058b5caa15651cc3c35c85b53b7ef0a38077644684a04e2dc9d6a5c91

AgentTesla

exe a97278750b1c8339b6fc7601434b733174ec05d6bd5dbde44a2a98ca6951f183

(this sample)

Dropped by

SHA256 25af4fb058b5caa15651cc3c35c85b53b7ef0a38077644684a04e2dc9d6a5c91

Delivery method

Distributed via e-mail attachment

Cape

https://www.capesandbox.com/analysis/185503/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample