MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 aedc0dc0a6e305ab1cbfc39d97221b4dbdfa5407cb8f5b1a87f93903db03c8dc. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

AgentTesla

Vendor detections: 9

Intelligence 9 IOCs YARA 3 File information Comments

SHA256 hash:	aedc0dc0a6e305ab1cbfc39d97221b4dbdfa5407cb8f5b1a87f93903db03c8dc
SHA3-384 hash:	dc81f6802c049c6a20ce20ecd3f3459a455673540d819f223f1c43a09e93e1198fed01c6cba3730e81de50bf698a0dc2
SHA1 hash:	28554694ad2742cac5a5b445be6513352057dd66
MD5 hash:	151cab7fdf132b81e8a06efbc9dcec0a
humanhash:	glucose-california-bakerloo-mexico
File name:	NEW PI#001890576.exe
Download:	download sample
Signature	AgentTesla Create hunting rule
File size:	707'584 bytes
First seen:	2021-05-10 17:47:52 UTC
Last seen:	2021-05-10 19:13:04 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep	12288:H4yoLLoS60/K7yh0vz9c3hHyentRJ2LJJtCUd36Ta:XoLAu3r7J2F7PqT
Threatray	4'741 similar samples on MalwareBazaar
TLSH	B2E46BFC755464F0E35B5C23A3CF0C0782651274A93B6A0E9B6013BE5A67E273E3998D
Reporter	abuse_ch
Tags:	AgentTesla exe

Intelligence

File Origin

# of uploads :

# of downloads :

108

Origin country :

n/a

Vendor Threat Intelligence

Malware family:

n/a

ID:

File name:

download

Verdict:

No threats detected

Analysis date:

2021-05-10 22:45:01 UTC

Tags:

n/a

Link:

https://app.any.run/tasks/681fe94f-4884-4e56-b6ba-8676d633da11

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

n/a

Link:

https://www.capesandbox.com/analysis/154275/

Detection(s):

SecuriteInfo.com.Trojan.Win32.Save.a.19506.119.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Sending a UDP request

Creating a window

Unauthorized injection to a recently created process

Creating a file

Result

Verdict:

UNKNOWN

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Result

Threat name:

AgentTesla

Detection:

malicious

Classification:

troj.spyw.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/779170

Signature

.NET source code contains potential unpacker

Found evasive API chain (trying to detect sleep duration tampering with parallel thread)

Found malware configuration

Injects a PE file into a foreign processes

Multi AV Scanner detection for submitted file

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to steal Mail credentials (via file access)

Yara detected AgentTesla

Yara detected AntiVM3

Behaviour

Behavior Graph:

Download SVG

Detection:

agenttesla

Link:

https://mwdb.cert.pl/sample/aedc0dc0a6e305ab1cbfc39d97221b4dbdfa5407cb8f5b1a87f93903db03c8dc/

Threat name:

ByteCode-MSIL.Backdoor.NanoBot

Status:

Malicious

First seen:

2021-05-10 16:52:24 UTC

AV detection:

14 of 29 (48.28%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=v3oa3qfg4mc2whf7yoozoiq3jw67uvahzohvwguh7e4qhwydzdoa._file

Verdict:

malicious

Label(s):

agenttesla

AgentTesla

40bfbe52bde4b85e383d2b449fb08748e1c4d1a86143ef71ddcc2740d8a5b0ce

AgentTesla

52a2f5a09b78228b44fe6f9dde56cbd8829a5d3d1ebb5bdfc0fce0bd781f1a94

AgentTesla

570c0394104f3b8a1dcae244814fe851e851c7f7d740d6a24715f2c1c51d35ae

AgentTesla

5c29a539dce239a74350459e71421bec8f0e925b218aeb8aed8e3067d2ae7f32

AgentTesla

64b48783de6703f4644779f5d7ad11600ef2c1cb8d213773a84f8bd623b3c17d

AgentTesla

9805afbc4ec53bea5c08ab912445f1a9e34791eeaaba6c8ec0d50223e2c6005b

AgentTesla

bd54959eceee1571ce73137460bfc91834637898818324fe5cafce27074ed114

AgentTesla

edc35a30929551065c11f8606ebe20772d1fbf3aeaf35e60f3117cf28361ac9b

AgentTesla

f104dda9f5fb6e0f5659843ce1698c2da434fe2cd9e986a4cd410c0473ca6cf6

AgentTesla

+ 4'731 additional samples on MalwareBazaar

Result

Malware family:

agenttesla

Score:

10/10

Tags:

family:agenttesla keylogger spyware stealer trojan

Link:

https://tria.ge/reports/210510-5mr599gwax/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Reads data files stored by FTP clients

Reads user/profile data of local email clients

Reads user/profile data of web browsers

AgentTesla Payload

AgentTesla

Please note that we are no longer able to provide a coverage score for Virus Total.

Threat name:

Malicious File

Score:

1.00

Link:

https://yomi.yoroi.company/submissions/aedc0dc0a6e305ab1cbfc39d97221b4dbdfa5407cb8f5b1a87f93903db03c8dc

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	INDICATOR_SUSPICIOUS_Stomped_PECompilation_Timestamp_InTheFu Create hunting rule
Author:	ditekSHen
Description:	Detect executables with stomped PE compilation timestamp that is greater than local current time

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape

https://www.capesandbox.com/analysis/154275/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample