MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aca2eb18cac1ab1eb752bc5061c77460e08cba410ec1cd32a637a4170618300a. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: aca2eb18cac1ab1eb752bc5061c77460e08cba410ec1cd32a637a4170618300a
SHA3-384 hash: 2b3b6b21277384f3bc72e50cb9878fdced4c1c3ed1862f1ad69280d2e7c23672a4b16c60ae545fb4f04431579b881013
SHA1 hash: 6be43f8a0f59aab822f755c92fff9a6d170da7d8
MD5 hash: 44aad4f603d4bab63f9b53a1407e7e02
humanhash: fifteen-robin-oregon-apart
File name:44aad4f603d4bab63f9b53a1407e7e02
Download: download sample
Signature AgentTesla
Create hunting rule
File size:717'312 bytes
First seen:2020-10-25 18:39:34 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 1a5d92eea222a4272a60ec00cf7a41b7 (6 x Loki, 6 x AgentTesla, 1 x Formbook)
ssdeep 12288:65/c7YVklcD0+K4cRp8eTTXcy+O8W0qoERIbdBEyhyjqAMFhDa:Yv2OIRLTTXcC5oER0XAjfM2
Threatray 938 similar samples on MalwareBazaar
TLSH 13E49E62B2E148F7C166273DBC0B97649826BE502D286D463BF52DCC9F39791381B2D3
Reporter seifreed
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
1
# of downloads :
59
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/76583/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

PUA.Win.Adware.Webalta-6912039-0
Create hunting rule

SecuriteInfo.com.BehavesLike.Win32.DealPly.jh.16493.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/510200
Signature
.NET source code contains very large array initializations
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Found malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
May check the online IP address of the machine
Moves itself to temp directory
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/aca2eb18cac1ab1eb752bc5061c77460e08cba410ec1cd32a637a4170618300a/
Threat name:
Win32.Trojan.LokiBot
Create hunting rule
Status:
Malicious
First seen:
2020-10-20 10:01:54 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=vsrowggkygvr5n2sxrigdr3umdqizosbb3a42mvgg6sbobqygafa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
099585dece2a535d3c7445453617e80e0f56e63fea64c305089cf3f945718b32
AgentTesla
31b788932350418b6dd533665053dacbc0a0af1fc13d2f0035df834413f64a2b
AgentTesla
379854686060051695c0588559dc07e5de53aa05debb514b1053dbe7d03c4f02
AgentTesla
39738c9fd5866fa8f6eb0473bb8bf03766e4fff79875f184823269e4fedb50c4
AgentTesla
4dc5a395fabe04122f9a4d6ab514a470713c758b079958832f51b2083ecc6d7c
AgentTesla
8ee2c58f8a8fc555dc2be25df0f819e83f2c6c36a7513c18ddafe160ac94bf11
AgentTesla
910d4e264036f52b56c864e80360fed814b1baa8ef78f4361cf156e026c7b792
AgentTesla
a55d6d38e7797634af9612af2a33672ea5cdb86dbdbe60b241e070a9abe96719
AgentTesla
ac2e9615b368e00fb4bf4d5180bbfc0d6fb7bbce3fa1af603d346d7a8f2450e5
AgentTesla
d3473a3e73cf0e6c3d25f6631d4b4929f25f14d3997ab4a64f51530314dfb4d3
AgentTesla
+ 928 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/201025-yaz6qy9ffn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: RenamesItself
Suspicious use of SetThreadContext
Looks up external IP address via web service
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
aca2eb18cac1ab1eb752bc5061c77460e08cba410ec1cd32a637a4170618300a
MD5 hash:
44aad4f603d4bab63f9b53a1407e7e02
SHA1 hash:
6be43f8a0f59aab822f755c92fff9a6d170da7d8
Link:
https://www.unpac.me/results/321d8242-d691-4f03-840a-282aaad7c0b2/
SH256 hash:
55cde2be35907c2518017f638524d3dc828cd3f284305b15cc1cc55eaf163fa8
MD5 hash:
d11017f3d83a400a2ec65323d986e5c1
SHA1 hash:
1d75907ad62935f61a422e17c4599a6a6c3c618e
Link:
https://www.unpac.me/results/321d8242-d691-4f03-840a-282aaad7c0b2/
SH256 hash:
9937d97cf655457e9c8412e0cd1f0277aacd23153d4fc6c60169375be16924b9
MD5 hash:
4af871d532b8279375843d364faf3554
SHA1 hash:
ce0de12f7a6333ccab1bb24823c33a34b89b064e
Link:
https://www.unpac.me/results/321d8242-d691-4f03-840a-282aaad7c0b2/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/aca2eb18cac1ab1eb752bc5061c77460e08cba410ec1cd32a637a4170618300a

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/76583/

Comments