MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c0a17f9f4dbacd527080d7211402f75a2a6308e288fed4561030e512ccbca7bd. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 7


Intelligence 7 IOCs YARA 2 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c0a17f9f4dbacd527080d7211402f75a2a6308e288fed4561030e512ccbca7bd
SHA3-384 hash: bf0484ed2389757e85ac4c0f84477f42851931feff9e20d82c7ac594c813c0ab752893d9e2b6b34ec922eb00ac59481f
SHA1 hash: 59fed14bf206c61cfc8fc67afcfebef3ef914984
MD5 hash: f23d783b86015506bae8848c83ac8273
humanhash: utah-rugby-grey-rugby
File name:Purchase Order.exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:609'280 bytes
First seen:2020-10-12 11:54:01 UTC
Last seen:2020-10-14 10:07:55 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'742 x AgentTesla, 19'607 x Formbook, 12'242 x SnakeKeylogger)
ssdeep 12288:1ite2Lskm9IgXeBU9PZG6AftfJTQMr45mSdkI58gv:SRLgzXhZeJXr45rdV1
Threatray 136 similar samples on MalwareBazaar
TLSH 7CD402B0A3499F6FCAFD00BA8C12164513F4E1527A95FBD96DF022DC56D27420B237EA
Reporter GovCERT_CH
Tags:AgentTesla

Intelligence

File Origin
# of uploads :
6
# of downloads :
93
Origin country :
n/a
Vendor Threat Intelligence
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/70070/
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Sending a UDP request
Launching a process
Creating a file
Unauthorized injection to a system process
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/488367
Signature
.NET source code contains very large array initializations
Allocates memory in foreign processes
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM_3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/c0a17f9f4dbacd527080d7211402f75a2a6308e288fed4561030e512ccbca7bd/
Threat name:
ByteCode-MSIL.Infostealer.Stelega
Create hunting rule
Status:
Malicious
First seen:
2020-10-11 23:42:08 UTC
File Type:
PE (.Net Exe)
Extracted files:
16
AV detection:
24 of 29 (82.76%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=ycqx7h2nxlgve4ea24qriaxxlivggchcrd7nivqqgdsrftf4u66q._file
Verdict:
unknown
Similar samples:
269770044a2b90764179e7d03229a3977e6034257d036c9f3d977803107f8b24
AgentTesla
37ec75a709a7b6730579f6fc525b3a53695bde0ca4b947a2226e3ec9f062309b
AgentTesla
3bc98b348217fdba3ff7a6128fc6b2ae45656f268d31065ead8aace44ba83aba
AgentTesla
8b153c32e397a1c5a47b67cd4306a8d946607fecba641ac2986b8e330af5193d
AgentTesla
95aa19eb5f26f4bc344f51d934138cb3f9a435fccb29a1d53277b06ecbb926cd
AgentTesla
ba4e39e16f3599f9bfe3b5dd1664e0d071d2dfeb308e9380778c8360495f61d5
AgentTesla
d3b1b01d88e939b5b448fbdd1b9a04250bee0c46ae137dd2cccc354dea9a157e
AgentTesla
d406a7a9f53d855c09c085482979c935b2668db373e5809b7e48dedfb1206a9f
AgentTesla
db7f29881f46de2c7dad595a574bccd452f5c42594266b1465c3f57326010e69
AgentTesla
eb5ca0f288a62e50350df6dd80c6d4e8a17122fc524ccee76e5bd97853dbd27b
AgentTesla
+ 126 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  7/10
Tags:
spyware
Link:
https://tria.ge/reports/201012-de8ms4wlte/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Unpacked files
SH256 hash:
c0a17f9f4dbacd527080d7211402f75a2a6308e288fed4561030e512ccbca7bd
MD5 hash:
f23d783b86015506bae8848c83ac8273
SHA1 hash:
59fed14bf206c61cfc8fc67afcfebef3ef914984
Link:
https://www.unpac.me/results/377bb722-efa3-441d-bc7c-3917f67d8a08/
SH256 hash:
9bee73a2ec0529c6ab16a4800b81666aafc78f747561b191ddcb9fd6f1b53b23
MD5 hash:
53d758035043bfe56c3d32565da34928
SHA1 hash:
1c6a4540768bcea94df7c56f87478e6f2be12d24
Link:
https://www.unpac.me/results/377bb722-efa3-441d-bc7c-3917f67d8a08/
SH256 hash:
13b24d3a09d099dabe41cd6cd71607a77e14640b1e9b4ed2d60f6c012f191c43
MD5 hash:
109cedae3c384a1913107f1efad2b7c8
SHA1 hash:
1f7f35b0ed85fa12bb839cbce698e59a30813420
Link:
https://www.unpac.me/results/377bb722-efa3-441d-bc7c-3917f67d8a08/
SH256 hash:
cb9325495f435f606ee99090ea7d5629f472a9b2ae7367996b38229bd77bf451
MD5 hash:
17d3922ac02fcaf09717bae1b488e937
SHA1 hash:
9adb7b33fca7a17272f9c12d78cd1b7b441bff31
Link:
https://www.unpac.me/results/377bb722-efa3-441d-bc7c-3917f67d8a08/
SH256 hash:
6c7e599add47fd06335a0924c2e2625bfe9b49087fd3fd34335617cb7f575416
MD5 hash:
770b9540ce6e434aa860eed7189c6e22
SHA1 hash:
ef93519ffaa8815d582870bd6e7278303c210865
Link:
https://www.unpac.me/results/377bb722-efa3-441d-bc7c-3917f67d8a08/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Kryptik
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c0a17f9f4dbacd527080d7211402f75a2a6308e288fed4561030e512ccbca7bd

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

AgentTesla

zip 6b042cf5108de1d6ec25035e1037d1439ef3e9421028bee2c5e1d67adf432aff

AgentTesla

Executable exe c0a17f9f4dbacd527080d7211402f75a2a6308e288fed4561030e512ccbca7bd

(this sample)

  
Dropped by
MD5 adf6ec13cf7b5dad46c06b9f5c76c2ee
  
Dropped by
SHA256 6b042cf5108de1d6ec25035e1037d1439ef3e9421028bee2c5e1d67adf432aff
  
Dropped by
AgentTesla
  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/70070/

Comments