MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 6


Intelligence 6 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
SHA3-384 hash: d3652bfc9b0bfd5d0de9cb2f1c9211b9461efd5ad585cf94ddf87fed93aa0a0b635b2f1868852639dddeeeb716c4b5db
SHA1 hash: 358d9fd2443ae54a716d0e9f6737fa0840a69aca
MD5 hash: 577726348cb78196c2707b448d13f308
humanhash: two-quiet-freddie-beer
File name:577726348cb78196c2707b448d13f308.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:737'792 bytes
First seen:2020-10-05 11:09:58 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 3d428173b181e83384eb653137e4f549 (4 x AgentTesla, 4 x Loki, 2 x HawkEye)
ssdeep 12288:D6LIdiPeP0pK+6kP/j2hEfPgqZkY4AJ0fwl/5+nkbnCk:D6rrc+6o+EAqqG0UIGN
Threatray 1'773 similar samples on MalwareBazaar
TLSH 58F48E63E2E0C43FC16316399C0B5BFC5A3AFDD02A24984A6BF4DE4C9F396907915297
Reporter abuse_ch
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
95
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/68123/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Unauthorized injection to a recently created process
Sending a UDP request
Using the Windows Management Instrumentation requests
Creating a file in the %temp% subdirectories
Launching the default Windows debugger (dwwin.exe)
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/481244
Signature
Contains functionality to detect sleep reduction / modifications
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for dropped file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 293062 Sample: v9sIc4NUq6.exe Startdate: 05/10/2020 Architecture: WINDOWS Score: 100 33 Yara detected AgentTesla 2->33 35 Machine Learning detection for sample 2->35 7 v9sIc4NUq6.exe 2->7         started        10 nwama.exe 2->10         started        12 nwama.exe 2->12         started        process3 signatures4 37 Detected unpacking (changes PE section rights) 7->37 39 Detected unpacking (overwrites its own PE header) 7->39 41 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->41 43 Contains functionality to detect sleep reduction / modifications 7->43 14 v9sIc4NUq6.exe 2 5 7->14         started        45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 49 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 10->49 18 nwama.exe 2 10->18         started        51 Maps a DLL or memory area into another process 12->51 20 nwama.exe 2 12->20         started        process5 file6 29 C:\Users\user\AppData\Local\...\nwama.exe, PE32 14->29 dropped 31 C:\Users\user\...\nwama.exe:Zone.Identifier, ASCII 14->31 dropped 53 Hides that the sample has been downloaded from the Internet (zone.identifier) 14->53 22 WerFault.exe 23 9 14->22         started        25 WerFault.exe 9 20->25         started        signatures7 process8 file9 27 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 22->27 dropped
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7/
Threat name:
Win32.Trojan.Wacatac
Create hunting rule
Status:
Malicious
First seen:
2020-10-05 11:11:05 UTC
AV detection:
16 of 48 (33.33%)
Threat level:
  5/5
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
1b9451e9b76e1ca8efb1139b25e035ebc9fd9a4c5aebd9d5651b27828d3b6241
AgentTesla
818343ec8323d98752f067ddc9c04d0f2bddcb4e4d14137b6c16ee01a8fae41e
AgentTesla
c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1
AgentTesla
c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
AgentTesla
c95b9b5cf40c96d46c8a6443c458575ccb0cff8e0f750a3e9506c62a155bcfb0
AgentTesla
e27846749619df94dd373cbbc3a27fe44a5790bac920ad7c2d8ed13296e71387
AgentTesla
e8e343cbb5ec9cf1c0d2d4ce34773c03b18cbdc29811acbee054b0731660ad02
AgentTesla
eed860fb0b48051582b2f34f20bc47f0fa5cd2273d20df99d339d1058e79113f
AgentTesla
f23c845c6c2450e632e8894be99fe3eb8a6a42eedc749c593431665c18e37d03
AgentTesla
fb9170b75704e2202310a4ea95652f93cfcc6d4c4700055156ebb8e5532c4a9b
AgentTesla
+ 1'763 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  9/10
Tags:
upx persistence
Link:
https://tria.ge/reports/201005-x7fcq35m6n/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Adds Run key to start application
UPX packed file
ServiceHost packer
Unpacked files
SH256 hash:
af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7
MD5 hash:
577726348cb78196c2707b448d13f308
SHA1 hash:
358d9fd2443ae54a716d0e9f6737fa0840a69aca
Link:
https://www.unpac.me/results/85d35376-26d8-452b-a6d2-6dc3f839d3ce/
SH256 hash:
c758ecfa408593fbd8e3abda6f7f15c35aef8438a8a327712d273591b8318573
MD5 hash:
a321d92c798cee7ff3cd5687b9fdb2f1
SHA1 hash:
9ed0f8d44c4fb5b4a6ecfdd9129f59c53e4950c0
Link:
https://www.unpac.me/results/85d35376-26d8-452b-a6d2-6dc3f839d3ce/
SH256 hash:
4c75751a5f876291d5e618009be7eb6b58cbb41a50497ce69be14c1cc80baccd
MD5 hash:
de2f0dee83ed5869b9b5c0d4fba0c331
SHA1 hash:
5eb874cd08b4c54cf66094db27693ff851bac046
Link:
https://www.unpac.me/results/85d35376-26d8-452b-a6d2-6dc3f839d3ce/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/af78e9a2d4a82521ad67cc63493b8525ebf8c2c1b1fb2530162250daafeb2ec7

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/68123/

Comments