MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 7

Intelligence 7 IOCs YARA 2 File information Comments

SHA256 hash:	acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423
SHA3-384 hash:	4acdcb3c24d120264ff543b047859475af28ef6a672c37a3007e9e1805dee6724100a741080808f460a8a87c19d7e7f0
SHA1 hash:	2bbce9a5a01f5a332fd42690e32ecfda987d58c8
MD5 hash:	66dd83cd5a5ef515ea0f931e0d30b97a
humanhash:	table-cola-angel-tango
File name:	NEW PO567.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	879'104 bytes
First seen:	2020-11-06 19:14:30 UTC
Last seen:	2020-11-09 06:00:25 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep	24576:Tgsf1eCW2IGfmEWFmUclSFvxSV3DGEoBxSTBtXYtY51/:Tgw1pmElS63DCgTjoKn
Threatray	1'013 similar samples on MalwareBazaar
TLSH	0A15AFFA6246EA6AC80F043FF84B256193D9DF1E59F8804653C5F12D137C6CE66AC48B
Reporter	cocaman
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

116

Origin country :

n/a

Vendor Threat Intelligence

Detection(s):

SecuriteInfo.com.BackDoor.SpyBotNET.25.18832.19548.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Using the Windows Management Instrumentation requests

Creating a file

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/523553

Signature

.NET source code contains very large array initializations

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Injects a PE file into a foreign processes

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM_3

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423/

Threat name:

ByteCode-MSIL.Spyware.Noon

Status:

Malicious

First seen:

2020-11-06 17:15:47 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

23 of 29 (79.31%)

Threat level:

2/5

Detection(s):

Malicious file

Link:

https://check.spamhaus.org/check/?searchterm=vtxxcvpvnikdi5ymmavjf27usrkhjlmf5e4c34m76xj773sgcqrq._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

08f9ff6bbe01d3fab54974c872fbdf2f8fa1fd1f32649c776f0626030169272c

AgentTesla

18dddb92c78a57ec4c3eaa117c7db4840e30484a4934af1905451e01d82ba245

AgentTesla

6f175e5ca3aed259ec1288d9dbd2510bff46dd383f95c07d9495570699934445

AgentTesla

8ca4a5887d8506ae275cdc9d9ba89dab07e2997435435a1f0bd111f78ad0a382

AgentTesla

9b42273e757d2cd6b0861aa1a06f32f4f8e6882deaa65167e0068c38845b0cd2

AgentTesla

b505171cca5c5eefe4dd6e6ce852dd380cfc08effeef51ed1219741f2910b873

AgentTesla

bcba47ff7460e3a03098516dcc1af9369b8fcc302fefaa07c57024830f57e93c

AgentTesla

e064cd70ae6467ad9c0342b4750cae4fb688c56b0d904ea4091aa074e174dcf0

AgentTesla

e1cfca7448e28054c1e1ef3ca5ea11921d46f85c75729310d6d4f01c955a607e

AgentTesla

+ 1'003 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

evasion family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/201106-gaerkbjybs/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Maps connected drives based on registry

Checks BIOS information in registry

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Looks for VMWare Tools registry key

Looks for VirtualBox Guest Additions in registry

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	ach_AgentTesla_20200929 Create hunting rule
Author:	abuse.ch
Description:	Detects AgentTesla PE

Rule name:	win_agent_tesla_v1 Create hunting rule
Author:	Johannes Bader @viql
Description:	detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip ebc9be49db8a035dc8e8e9432361ba724a1dbba082ad4b322c588cbc78b34747

AgentTesla

exe acef7155f56a1434770c602a92ebf4945474ad85e9382df19ff5d3ffee461423

(this sample)

Delivery method

Other

Dropped by

SHA256 ebc9be49db8a035dc8e8e9432361ba724a1dbba082ad4b322c588cbc78b34747

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample