MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 abeb6c60fb8519e50226482c903a270a9d5012370e082f6a60aca96c64ff9cc1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: abeb6c60fb8519e50226482c903a270a9d5012370e082f6a60aca96c64ff9cc1
SHA3-384 hash: 66cbe0a1998d3354bf83609603bb38813783429080615df1e18e6b6de87f72a2dd2061b0af9db12e10904b724ed0256f
SHA1 hash: 5e2768f9c981e83c4761a849b4b6b19cc1decc61
MD5 hash: ed8ef945d7d259824b4b5590c539c0b6
humanhash: solar-sink-papa-south
File name:PO2021012.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:754'688 bytes
First seen:2021-02-17 02:57:44 UTC
Last seen:2021-02-17 04:54:33 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'749 x AgentTesla, 19'653 x Formbook, 12'246 x SnakeKeylogger)
ssdeep 12288:jSQYzdnLpsnzBhGxR3PqG073wHGc6uB3XdtgnUPTZ:jSlzdn4Tw3iGEkwuBdKQ
Threatray 11 similar samples on MalwareBazaar
TLSH 63F45A2B62986FABF07D97756034841087F0BC5BE764D99DBFD070EA1874F44CAA2B42
Reporter vm001cn
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
111
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
PO2021012.exe
Verdict:
Malicious activity
Analysis date:
2021-02-16 07:43:55 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/780ce621-10f6-403e-a079-e29f01ebc1e7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/117463/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.541.28146.17267.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a process with a hidden window
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/609733
Signature
.NET source code contains very large array initializations
C2 URLs / IPs found in malware configuration
Found malware configuration
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/abeb6c60fb8519e50226482c903a270a9d5012370e082f6a60aca96c64ff9cc1/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-02-16 08:26:42 UTC
AV detection:
16 of 29 (55.17%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vpvwyyh3qum6kargjawjaorhbkovaerxbyec62tavsuwyzh7ttaq._file
Verdict:
unknown
Similar samples:
072b5e15bd74b972d408910263e80c07cb6b4f17d3eb6024508b457f7dd84e87
AgentTesla
1d1c7e4441d356fd59afca292924b34f4b18867aca7d5892210f2d997753c190
AgentTesla
418c91165a110d4877cb2932db456e37715dd6ea494712bb6cebd009eb090727
AgentTesla
43dc584275e87192148542ab82f312d5c809444982536a6403898804a50c72a1
AgentTesla
5ae71498e3b1d2707c84bcd6f43566b8834f310dccafd64ef81e54cbe7ac4b01
AgentTesla
5d617282230f991221360f213e15b0e62d0c462afc3d32299c9b410658fbb106
AgentTesla
91b00403de43b3c7d5f630b69934dcb1a9694c6a2cbea5eae599caa54405cf81
AgentTesla
b9f2863fa3e07c6c02defa3f19574f71118fcdbb37b1f4292088226319da3a78
AgentTesla
c382978c4fbc471e61a6c4d874c41231f38da448436a36638d460ce79a272b2c
AgentTesla
ebba3cbb31b33009b718185d391d43e4373a08aca718591c3af294ee34400ff7
AgentTesla
+ 1 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210217-6318zbyj1x/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
b2499a2af35b550fbe7f541a14ff1225e1202324f351eecf85de6c8e9fc7c27c
MD5 hash:
5e732e4265622675313195dead01047e
SHA1 hash:
359c710a93c2f58cdc2a45de8dd48a6884a70645
Link:
https://www.unpac.me/results/fc4a36ab-75ad-4347-b7f2-2bf88c322cfa/
SH256 hash:
abeb6c60fb8519e50226482c903a270a9d5012370e082f6a60aca96c64ff9cc1
MD5 hash:
ed8ef945d7d259824b4b5590c539c0b6
SHA1 hash:
5e2768f9c981e83c4761a849b4b6b19cc1decc61
Link:
https://www.unpac.me/results/fc4a36ab-75ad-4347-b7f2-2bf88c322cfa/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Remcos
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/abeb6c60fb8519e50226482c903a270a9d5012370e082f6a60aca96c64ff9cc1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/117463/

Comments