MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c01acd7c0f1362bc8c9592e676a8293947fe9d2973b02a0722ece823fe3c640b. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 9


Intelligence 9 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c01acd7c0f1362bc8c9592e676a8293947fe9d2973b02a0722ece823fe3c640b
SHA3-384 hash: 2fc02e34cd0d274daa7281aa1032c694fcee6b948376d4fd8aa56843b4ed84580e76f90b809fc72536c54e11196af4a1
SHA1 hash: 802ee6c6b70db0d15d5e65a33c1784b88b1c0c06
MD5 hash: 13aa0ad759dd41c761c277f89ad657fa
humanhash: oven-oklahoma-twenty-oscar
File name:friday morning j.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:832'512 bytes
First seen:2020-09-25 13:29:54 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 971465ba55aa2969c976f7f768bcd887 (2 x AgentTesla, 1 x Matiex, 1 x Pony)
ssdeep 12288:JRWVDU5/k9qEX4H8HTPz29gd/zKelytqTE7Q/cxJrP6Qsl57WZr35f4:JRgV9lX4ePztJzKe4QTnExJrP6LRWvA
Threatray 1'761 similar samples on MalwareBazaar
TLSH E7059E22B2A04837C5732938DD0B57B8A936BE513A25AF462FF5DC4C7F397903825297
Reporter abuse_ch
Tags:AgentTesla exe


Avatar
abuse_ch
Malspam distributing unidentified malware:

From: "PT. Jaya Trade Indonesia." <youmale.lee@hotmail.com>
Reply-To: youmale.lee@hotmail.com
Subject: New Order Container 40 Feet For Your Products / Ship To Turkey
Attachment: PT-JAYA NEW ORDER 40 FEET CIFPDF.zip (contains "friday morning j.exe")

Intelligence

File Origin
# of uploads :
1
# of downloads :
101
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/65843/
Detection(s):
PUA.Win.Adware.Slugin-6803969-0
Create hunting rule

PUA.Win.Adware.Slugin-6840354-0
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Unauthorized injection to a recently created process
Launching a process
Using the Windows Management Instrumentation requests
Unauthorized injection to a system process
Enabling autorun by creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/475197
Signature
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Delayed program exit found
Detected unpacking (changes PE section rights)
Detected unpacking (creates a PE file in dynamic memory)
Detected unpacking (overwrites its own PE header)
Drops VBS files to the startup folder
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sigma detected: Drops script at startup location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 signatures2 2 Behavior Graph ID: 290058 Sample: friday morning j.exe Startdate: 25/09/2020 Architecture: WINDOWS Score: 100 27 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->27 29 Multi AV Scanner detection for submitted file 2->29 31 Detected unpacking (changes PE section rights) 2->31 33 8 other signatures 2->33 7 wscript.exe 1 2->7         started        9 friday morning j.exe 2->9         started        process3 signatures4 12 friday morning j.exe 7->12         started        43 Writes to foreign memory regions 9->43 45 Allocates memory in foreign processes 9->45 47 Maps a DLL or memory area into another process 9->47 49 Queues an APC in another process (thread injection) 9->49 15 notepad.exe 1 9->15         started        17 friday morning j.exe 2 9->17         started        process5 signatures6 51 Writes to foreign memory regions 12->51 53 Allocates memory in foreign processes 12->53 55 Maps a DLL or memory area into another process 12->55 19 friday morning j.exe 8 2 12->19         started        22 notepad.exe 1 12->22         started        57 Drops VBS files to the startup folder 15->57 59 Delayed program exit found 15->59 process7 file8 35 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 19->35 37 Tries to steal Mail credentials (via file access) 19->37 39 Tries to harvest and steal ftp login credentials 19->39 41 Tries to harvest and steal browser information (history, passwords, etc) 19->41 25 C:\Users\user\AppData\Roaming\...\yes.vbs, ASCII 22->25 dropped signatures9
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c01acd7c0f1362bc8c9592e676a8293947fe9d2973b02a0722ece823fe3c640b/
Threat name:
Win32.Infostealer.Fareit
Create hunting rule
Status:
Malicious
First seen:
2020-09-25 10:03:25 UTC
AV detection:
27 of 29 (93.10%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yanm27apcnrlzdevslthnkbjhfd75hjjooycubzc5tuch7r4mqfq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
18a2826ae0c8ce3e76a5cb806e89d0070f70cc372cf37468721b8caf8529f401
AgentTesla
4ae1deecb4b64f1e1b13b215c6b426cd887f1f5b072fb153916373766191d5df
AgentTesla
51c6d5ac53034179bcbec97268efdd665f30692376284fed57bb257f42fe17c8
AgentTesla
529a07889f04d93d54830021a424321fd763b41fe8b8941de3ea1c79eae21532
AgentTesla
68c67f845d8c48aa74901553deb7cc31b7f2a27954d75e4f67093c70f81eb9d6
AgentTesla
72ce6d54e53bef9b40b4bc65658af46c49cbc340e87aa8ed7a4d0ef574a1e45c
AgentTesla
778999d611a2a22f82d48b71e94588b86336376e30b07cb1c3f2230959cc10ab
AgentTesla
a6d47a142ce8ca991f9090ff981c4a4c5a021030fcc9610a582ecb8c96b607bd
AgentTesla
c1c58c6918062b4e641a924b19712a015d1a74b184e3fb19e444216edbdfcedd
AgentTesla
eb8ac6c18675770e603ff7b7c3076cab5bafda10a3634d50d575185d04506708
AgentTesla
+ 1'751 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
upx spyware keylogger trojan stealer family:agenttesla
Link:
https://tria.ge/reports/200925-rddn527gsn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops startup file
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
UPX packed file
AgentTesla
Unpacked files
SH256 hash:
c01acd7c0f1362bc8c9592e676a8293947fe9d2973b02a0722ece823fe3c640b
MD5 hash:
13aa0ad759dd41c761c277f89ad657fa
SHA1 hash:
802ee6c6b70db0d15d5e65a33c1784b88b1c0c06
Link:
https://www.unpac.me/results/89952be0-890d-4fa2-899a-50ce368f3247/
SH256 hash:
64df0551ccea9e7b644019e29fbf789eea81ce7dc3c52c2ae4181caf080b17fd
MD5 hash:
24fc57c2b79096b68b11cad06c51cede
SHA1 hash:
d4f9628cb71278b90d1cc702ef5b496a18077691
Link:
https://www.unpac.me/results/89952be0-890d-4fa2-899a-50ce368f3247/
SH256 hash:
15af95628be624509749f4a673d8fcf608120193354daefdf2c17ce6df90f534
MD5 hash:
7d106efca2075e995c05d869b4c80628
SHA1 hash:
ef32c8fbbbcea1954ca2c797bbe824d6a42beff6
Link:
https://www.unpac.me/results/89952be0-890d-4fa2-899a-50ce368f3247/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Lokibot
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c01acd7c0f1362bc8c9592e676a8293947fe9d2973b02a0722ece823fe3c640b

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 090dd1a7763d41f5094207b9cedcda27852ff4f3a280a45026e5f95534d4aa44

AgentTesla

Executable exe c01acd7c0f1362bc8c9592e676a8293947fe9d2973b02a0722ece823fe3c640b

(this sample)

  
Dropped by
MD5 a6f0204e7a2eb3073d1822701f1e4739
  
Delivery method
Distributed via e-mail attachment
  
Dropped by
SHA256 090dd1a7763d41f5094207b9cedcda27852ff4f3a280a45026e5f95534d4aa44
Cape
Cape
https://www.capesandbox.com/analysis/65843/

Comments