MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 8


Intelligence 8 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1
SHA3-384 hash: 19337cf7369a8d8df666568d7f998102e95eb23e2b1753c2da357f65f2c7800ca629c5fa56147e552fd3382d5114b9cb
SHA1 hash: 263ed37a41363c02bdac070f484ef85ba9a160c7
MD5 hash: c2a6253950aa3cd627df8e7671cc211a
humanhash: april-fish-avocado-uncle
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:528'384 bytes
First seen:2020-09-29 14:18:47 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'647 x AgentTesla, 19'450 x Formbook, 12'201 x SnakeKeylogger)
ssdeep 12288:OpVNjP6eP9U0AGVAX1mAQP2GGb9+ETyUQGbqugZc:OzjP6+U+KX1mr2GO9LTyVGbquz
Threatray 221 similar samples on MalwareBazaar
TLSH E0B4CFCCEE406A76D65D6C7986F4FE5E63FCC4670D92E26508B3F9894232A901F42CD2
Reporter James_inthe_box
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
94
Origin country :
n/a
Vendor Threat Intelligence
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/66785/
Detection(s):
SecuriteInfo.com.MSIL.Kryptik.VFR-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Creating a window
Using the Windows Management Instrumentation requests
Creating a file
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/477521
Signature
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1/
Threat name:
ByteCode-MSIL.Trojan.Sudloader
Create hunting rule
Status:
Malicious
First seen:
2020-09-29 12:10:13 UTC
File Type:
PE (.Net Exe)
Extracted files:
4
AV detection:
23 of 29 (79.31%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yaoakvted7ftqszkwqgv2sr7w3c7cgkzbntz5ckxazidq2m4rcqq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
2769e7180962969c0f1cfaa16850c17e6a44b298b3c5899d32b37366a090727d
AgentTesla
423349485a78884c5ed9d7a2b933f65d4ca59c1e6bc0543b752ccac6bf6e0b95
AgentTesla
5d686ec9f4a6538677095df0d83620d6d04b38e5a84ec5452879786418ce61ea
AgentTesla
65e1f86de7b69f4eac3430c49757b5b11905ded68d9a6c7d1eca46f8609db4a1
AgentTesla
7b5cd0182b1122c0231fb30af6252fe4b0b9a9dd0962d14264ff1f09ced46943
AgentTesla
8ca10b0fcde48ff00c9218062eb8aefe2a9d3ddc5e240a9da4a2e7764cbfff90
AgentTesla
a85c3ac8222d07437593f5c46c995873223123ce84fea52633bd886ee1d2c6f7
AgentTesla
b048deffae10786cce2ffe352fc6415cd4549c49505f34e18e7fc820d7d20a1d
AgentTesla
c48e35f8fcabd28e3598287342ddc3f3d28f24d6415786a980675d456e0836f9
AgentTesla
e03c4f9c8ae0b28a7538315c3af97428339911bd6118371c0459adfd14abca44
AgentTesla
+ 211 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
spyware keylogger trojan stealer family:agenttesla evasion
Link:
https://tria.ge/reports/200929-z6dqk8ps66/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Looks up external IP address via web service
Maps connected drives based on registry
Checks BIOS information in registry
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Looks for VMWare Tools registry key
Looks for VirtualBox Guest Additions in registry
AgentTesla
Unpacked files
SH256 hash:
c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1
MD5 hash:
c2a6253950aa3cd627df8e7671cc211a
SHA1 hash:
263ed37a41363c02bdac070f484ef85ba9a160c7
Link:
https://www.unpac.me/results/75f94f6f-4ced-4d95-804e-593393a051b3/
SH256 hash:
720a4396ccfa5c4a664e8f51ea8a3ee10f8b8fa7e912f4209dab5a2e3a9094d7
MD5 hash:
d4deb7229a2ec390290d4754b8a5ab08
SHA1 hash:
bdedb0f77d34646899229ff3f1a88fb7b47d6463
Link:
https://www.unpac.me/results/75f94f6f-4ced-4d95-804e-593393a051b3/
SH256 hash:
729a1b125fb330463c22a87c061e384300f49bd9d6793836bb3e52bcb61cc03f
MD5 hash:
ac3f427e66b28b013b0b651c2f71d1e9
SHA1 hash:
ddf8b4b1d36aced75740632b41d30add06b5db3d
Link:
https://www.unpac.me/results/75f94f6f-4ced-4d95-804e-593393a051b3/
SH256 hash:
65c713b18aceae800646ed1f59c703119be3a086927ee0ab94f28fec5e75d351
MD5 hash:
599f859c2e78a2ef42c31549326568d4
SHA1 hash:
f3d775e3af94eae6a6a5881401095b645b156606
Link:
https://www.unpac.me/results/75f94f6f-4ced-4d95-804e-593393a051b3/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c01c0556641fcb384b2ab40d5d4a3fb6c5f119590b679e8957065038699c88a1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Delivery method
Other
Cape
Cape
https://www.capesandbox.com/analysis/66785/

Comments