MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25
SHA3-384 hash: 979a5e33b449e5b7aadc5d2b1882633093af767242336f75e9bc0b03e7b2b2ec8808e9e37bbdea5e7b6e4e9038f98f1c
SHA1 hash: 1d53935b95af2d8d3f056e01afc748293f5226d3
MD5 hash: e328327846a5710ec06b88eddfe5f58a
humanhash: white-rugby-four-whiskey
File name:Customer Order, Images, Spec.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:335'360 bytes
First seen:2020-12-08 06:35:24 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash a262877a36fc7e0f830054e0f70f76cb (7 x Matiex, 4 x AgentTesla, 4 x Loki)
ssdeep 6144:7Iq0NpOK3Lp/tNGb3QWZ2BgcgjF78aI8JjwFhOQd6+rdxc5HC5EhKjMFwJV:7Iv9FNkK2c+7zT508Qd6+rdYmEhBCJ
Threatray 1'773 similar samples on MalwareBazaar
TLSH 96641218F9825035E226183949B4E531A97EBD0367F0424F2FB9247D9EB3BE27EB4351
Reporter cocaman
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
102
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
Customer Order, Images, Spec.exe
Verdict:
Malicious activity
Analysis date:
2020-12-08 06:51:21 UTC
Tags:
rat agenttesla
Link:
https://app.any.run/tasks/19dc23b5-c245-4ecd-80ed-0fcc51daca52

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/107155/
Detection(s):
SecuriteInfo.com.ArtemisE328327846A5.4882.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Sending a UDP request
Unauthorized injection to a recently created process
Creating a window
Using the Windows Management Instrumentation requests
Result
Gathering data
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/557600
Signature
Antivirus / Scanner detection for submitted sample
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Mail credentials (via file access)
Yara detected AgentTesla
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25/
Threat name:
Win32.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2020-12-08 02:02:45 UTC
File Type:
PE (Exe)
AV detection:
28 of 29 (96.55%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ybgz3wuiu5pu5wje4idbpbd2jv5i75zjovhivvtpgvl7xehnlusq._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
0f077fb618914c9f987dc7975a5e4c6372234ca35c292de29d864c494910928c
AgentTesla
2a24e55affebdf336e67fe9ba8f667b095784a6bc6857ce8b89e7c48c8a8fd21
AgentTesla
345597dd8973b67e999a9e16ccd9fd1a4935aab9477f79f540359f2e1472bb81
AgentTesla
5c29a539dce239a74350459e71421bec8f0e925b218aeb8aed8e3067d2ae7f32
AgentTesla
b0cea585c416540b6820f91a0c1cf8d8eb6776ec0cecce0709cd2c22f15f7cc3
AgentTesla
be48a66b718f94c2379453ff845e0047504573e3c0e1a9f7ab3011dab1c06b57
AgentTesla
bee3c64a4d3862a54f11a05303fb39c9768891841673269e477d0d87ec1862e2
AgentTesla
c32319a00c304265cd1bf26cba8be19edd08ebefc4cac72d1b8dccdeaace40d3
AgentTesla
ce431d943b7df67690c0c89d1556a8d9ca222a78568d56c8c3aeaccc74f40fd4
AgentTesla
ff30ebf52489bc096912d3d89259f8f6e44ec3ced1d124094d10f2fbfaa18590
AgentTesla
+ 1'763 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201208-26ylqqxgee/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25
MD5 hash:
e328327846a5710ec06b88eddfe5f58a
SHA1 hash:
1d53935b95af2d8d3f056e01afc748293f5226d3
Link:
https://www.unpac.me/results/ae4c55e0-db67-4f2a-834a-dc9bf83866c5/
SH256 hash:
b2066d1a06e00dd7f91980a1da3441f23625677ac2c0ab97168733831f06cf71
MD5 hash:
3d549723441dccc8cf1de6b7f7daf733
SHA1 hash:
68f4a2c287731d8e0b230a2161726fb37ee061c6
Link:
https://www.unpac.me/results/ae4c55e0-db67-4f2a-834a-dc9bf83866c5/
SH256 hash:
bffb93d152a159cf240ff572c854f33809cdfbdd55e1238a81add006d55f3363
MD5 hash:
57ca67b1f43493941e44f10579263602
SHA1 hash:
94fc7a9402629942aff9d6044397940c5e3489db
Link:
https://www.unpac.me/results/ae4c55e0-db67-4f2a-834a-dc9bf83866c5/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

zip 2ca45d6949c858e433a21b5fb221501e68f0e4da067ef6265b257bb6f3e71ef5

AgentTesla

Executable exe c04d9dda88a75f4ed924e20617847a4d7a8ff729754e8ad66f3557fb90ed5d25

(this sample)

  
Delivery method
Other
  
Dropped by
SHA256 2ca45d6949c858e433a21b5fb221501e68f0e4da067ef6265b257bb6f3e71ef5
Cape
Cape
https://www.capesandbox.com/analysis/107155/

Comments